Educause Security Discussion mailing list archives
Re: Phishing education rollout
From: Paul Chauvet <chauvetp () NEWPALTZ EDU>
Date: Fri, 5 Sep 2014 10:25:28 -0400
Hello Peter, We've been doing phishing simulations as part of our security training program for the past couple years. There are a few things that we've done here which have helped it be a great success with VERY few complaints. 1. We made sure to get the buy-in of our senior leadership (President, Provost and other VPs) before-hand. They made sure to attend (and be seen to attend) our in-person training sessions and are also included in the phishing simulations. By doing so, they are showing the importance of it to the college and that there is no one 'above' the training. 2. We make sure to communicate that anyone can fall for these without appropriate training and that users should not see it as a personal failing to fall for such a message but treat it as a teachable moment. 3. We've used positive reinforcement to thank users who consistently not only do not fall for phishing simulations (real or simulated) but also report such messages. We occasionally send messages to these people thanking them for their contributions to making the sensitive information of the college safer. 4. When an occasional faculty member becomes angry and thinks that we are trying to trick them, we're honest with them. Yes - to some extent we are, but the criminals are doing so constantly. We are working not only to protect the college's data, but protect individuals personal data as well. The push back we've gotten has rarely been from our phishing simulations but from the interactive online training we require. There have been complaints that they just don't have enough time, that it is 'beneath' them, or that they would never fall for such. Usually a phone call with these people is enough to convince them of the importance of the training. Failing that, sending a few targeted spear phishing simulations to them either convinces me that they really are competent, or convinces them that perhaps they are not as invulnerable as they think. Paul Chauvet Information Security Officer State University of New York at New Paltz Phone: (845) 257-3828 chauvetp () newpaltz edu ----- Original Message -----
To coincide with NCSAM, we are planning on kicking off a 1-year phishing education program. We’re partnering with an external company to execute the program and as we prep for the engagement, one thing we keep hearing of is the risk of angering the user base, having faculty go to the dean’s council, administration going to their VPs, and just general bad “press”.
We have support from the top to proceed with the program and will communicate to the target user base, but I’m wondering what others have done for their rollouts, and just ways to ensure success in this area.
Peter Lundstedt | Information Security Analyst Drake Technology Services (DTS) | Drake University
Current thread:
- Phishing education rollout Peter Lundstedt (Sep 04)
- Re: Phishing education rollout Paul Chauvet (Sep 05)
- Re: Phishing education rollout Brad Judy (Sep 05)