Educause Security Discussion mailing list archives
Re: Phishing and Security Awareness Training - Faculty
From: "Sburlea, Stefan" <sburlea () CHAPMAN EDU>
Date: Wed, 13 Apr 2016 17:36:25 +0000
Great! Thank you, I keep hearing that communication to Management first and end users second is essential to the program. Best Regards, Stefan Sburlea Chapman University, IS&T Information Security Specialist sburlea () chapman edu Desk Phone: 714-744-7802 Chapman University I One University Drive I Orange, California 92866 UNIVERSITY STAFF WILL NEVER ASK FOR YOUR PASSWORD - DO NOT SHARE YOUR PASSWORD WITH OTHERS! From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Burke, Ian R. Sent: Wednesday, April 13, 2016 10:33 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty Hello Stefan, Here at Middlebury we also ran a small pilot for what we termed proactive phishing. We were very upfront about what we were doing and had very strong feedback. We actually had people asking to be a part of the program. Unfortunately, we did not have any more seats in our pilot. Our communication plan included notification to participant managers as well as to all participants. We also included status updates to all participants and institutional management on a monthly basis. I think this went a long way to winning and sustaining our support for the program. Our population included a small group of students and they were very vocal about running a larger program inclusive of students. A larger project is not on the books just yet but we may look into it down the road. Ian Ian Burke Information Security Administrator Information Security - ITS http://go.middlebury.edu/infosec Middlebury College From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Melanie Lever Sent: Wednesday, April 13, 2016 12:32 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty Hi Stefan, We began our phishing campaign in late February and our initial campaign consisted of 1/3 of our faculty/staff. Surprisingly we actually received more positive feedback than negative. We did have a couple of disgruntled users, but overall it went well. I would definitely recommend beginning communications of your plan early on to receive buy in from Administration. We are using Wombat and if you would like to reach out to me for more specific details, please feel free. I will be rolling out the second campaign next month. Melanie Lever Information Security Compliance Analyst University of Nevada, Reno 775.682.5097 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sburlea, Stefan Sent: Tuesday, April 12, 2016 5:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty Hello Valerie, Thank you for the resources. Very useful indeed. I was hoping my peers could share their experiences in practice with how the staff and faculty population received or perceived the training. Also which vendor was used would be useful info. I am trying to find the list of vendors that will be presenting at Educause Seattle and I had little success. Are you aware of such a list? (we are trying to connect with them before Educause) Best Regards, Stefan Sburlea Chapman University, IS&T Information Security Specialist sburlea () chapman edu<mailto:sburlea () chapman edu> Desk Phone: 714-744-7802 Chapman University I One University Drive I Orange, California 92866 UNIVERSITY STAFF WILL NEVER ASK FOR YOUR PASSWORD - DO NOT SHARE YOUR PASSWORD WITH OTHERS! From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valerie Vogel Sent: Tuesday, April 12, 2016 4:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Phishing and Security Awareness Training - Faculty Hi Stefan, Your question is very timely. The HEISC Awareness & Training working group just published a short paper on phishing simulation campaigns: https://library.educause.edu/resources/2016/4/phishing-simulation-programs[library.educause.edu]<https://urldefense.proofpoint.com/v2/url?u=https-3A__library.educause.edu_resources_2016_4_phishing-2Dsimulation-2Dprograms&d=BQMFAg&c=jifKnBYnyVBhk1h9O3AIXsy5wsgdpA1H51b0r9C8Lig&r=BMVx6KzEp7rbYXqkZ44Q1A&m=nm0I3iDxVDB4QRVP6sWc7xnxduCQU0MteKhVrQKBtPM&s=0i4oS94907X03L6CxsO4ILXd8MZ3MOShh_HzGOnAg_Q&e=> In addition to Brad Judy's guest blog that you mention below, we will soon be publishing a guest blog from Eastern Michigan about their phishing efforts. (Likely available in ~2 weeks.) We also have another guest blog on phishing (http://er.educause.edu/blogs/2016/3/april-dont-get-hooked[er.educause.edu]<https://urldefense.proofpoint.com/v2/url?u=http-3A__er.educause.edu_blogs_2016_3_april-2Ddont-2Dget-2Dhooked&d=BQMFAg&c=jifKnBYnyVBhk1h9O3AIXsy5wsgdpA1H51b0r9C8Lig&r=BMVx6KzEp7rbYXqkZ44Q1A&m=nm0I3iDxVDB4QRVP6sWc7xnxduCQU0MteKhVrQKBtPM&s=XBFt0YHmgGvm-dwVMEkF1JwMiETlEOUWQN1_-LZvtQo&e=>) that is part of our 2016 Campus Security Awareness Campaign (http://www.educause.edu/securityawareness[educause.edu]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_securityawareness&d=BQMFAg&c=jifKnBYnyVBhk1h9O3AIXsy5wsgdpA1H51b0r9C8Lig&r=BMVx6KzEp7rbYXqkZ44Q1A&m=nm0I3iDxVDB4QRVP6sWc7xnxduCQU0MteKhVrQKBtPM&s=4_EgpS3N_ZFpWUA_UuPS7cZk4-akMPQzxPF8ZyEnxvU&e=>). If you will be at the 2016 Security Professionals Conference in Seattle next week, there will be several opportunities to discuss phishing with your peers: a BOF session on Monday, April 18 (8-10 pm), a lunchtime roundtable on Tuesday, April 19 (12-1:30 pm), and several sessions on Tuesday with a focus on awareness and training. I hope you find these resources useful as you continue this discussion with the community. Kind regards, Valerie Valerie Vogel Program Manager EDUCAUSE Uncommon Thinking for the Common Good direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil | educause.edu[educause.edu]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_&d=BQMFAg&c=jifKnBYnyVBhk1h9O3AIXsy5wsgdpA1H51b0r9C8Lig&r=BMVx6KzEp7rbYXqkZ44Q1A&m=nm0I3iDxVDB4QRVP6sWc7xnxduCQU0MteKhVrQKBtPM&s=X-TtkeWi-8fnKfxaDzz-EQYFmTPSmkVrwmvOU3U7JUY&e=> From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of "Sburlea, Stefan" <sburlea () CHAPMAN EDU<mailto:sburlea () CHAPMAN EDU>> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Tuesday, April 12, 2016 at 4:09 PM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] Phishing and Security Awareness Training - Faculty Hello, We are looking at starting a phishing/security awareness training. We are considering something like Wombat Security or GoPhish. Did you do something similar at your university and if yes, did you receive any negative feedback from your staff and faculty? What solution/vendor did you use? Searching through Educause archives, I found this great 10 point implementation checklist/guide : http://er.educause.edu/blogs/2016/4/phishing-your-users[er.educause.edu]<https://urldefense.proofpoint.com/v2/url?u=http-3A__er.educause.edu_blogs_2016_4_phishing-2Dyour-2Dusers&d=BQMFAg&c=jifKnBYnyVBhk1h9O3AIXsy5wsgdpA1H51b0r9C8Lig&r=BMVx6KzEp7rbYXqkZ44Q1A&m=nm0I3iDxVDB4QRVP6sWc7xnxduCQU0MteKhVrQKBtPM&s=BCU3LXYN0B7-3lx-98zQbNWc2x6LsPdAZvKkn7UB-kc&e=> Any insight is greately appreciated. Thank you, Stefan Sburlea Chapman University, IS&T Information Security Specialist sburlea () chapman edu<mailto:sburlea () chapman edu> Desk Phone: 714-744-7802 Chapman University I One University Drive I Orange, California 92866 UNIVERSITY STAFF WILL NEVER ASK FOR YOUR PASSWORD - DO NOT SHARE YOUR PASSWORD WITH OTHERS!
Current thread:
- Re: Phishing and Security Awareness Training - Faculty, (continued)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Thomas Skill (Apr 14)
- Re: Phishing and Security Awareness Training - Faculty Valerie Vogel (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Valerie Vogel (Apr 12)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Melanie Lever (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Burke, Ian R. (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 13)
- Re: Phishing and Security Awareness Training - Faculty Sburlea, Stefan (Apr 12)