Educause Security Discussion mailing list archives
Re: Initial Phishing Simulation - Do you tell them first?
From: "Hart, Michael" <mhart20 () MSUDENVER EDU>
Date: Thu, 13 Jun 2019 12:49:01 +0000
I agree with not making this punitive. I’d focus on gentle suggestions for our staff and faculty that fall for an internal phish. More of a “Whoops” than a “Gotcha!” I have also contemplated providing some prizes for the first to report messages from these campaigns. If we did a Starbucks-themed phish, we could provide $5 Starbucks gift cards to the first handful of people who report them to the correct resource on campus. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Neal O'Farrell Sent: Thursday, June 13, 2019 6:41 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? I don't come from a university background but have developed many phishing campaigns over the years. My preference has always been to make all employees aware in advance that phishing is being phased in as part of an overall awareness improvement campaign or culture. Then start the campaign a couple of weeks after that communication - and there may have to be a couple of communications first. I find that two weeks is usually enough time for most employees to forget that a phish test is on the way, but then remember, when reminded, that they were told it was coming. A happy medium that doesn't impact baseline testing. Most humans, especially at work, don't like to feel they've been tricked or duped, made a simple mistake, made to look foolish etc. When employees get angry that they're being unfairly (in their minds) tested, it hurts the entire goal of a culture of vigilance. Neal. Neal O'Farrell Schooled In Security www.schooledinsecurity.org<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.schooledinsecurity.org&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706818984&sdata=4aqhpDraZqOSk4ri6lJApSJLiXRSY1GvQnj62H8AKgQ%3D&reserved=0> neal () schooledinsecurity org<mailto:neal () schooledinsecurity org> (925) 914 0248 (EST) Security is fundamentally a battle of body parts - between the brain and the index finger. For the enemy to lose, the brain must win. On Wed, Jun 12, 2019 at 9:51 PM David Eilken <david.eilken () domail maricopa edu<mailto:david.eilken () domail maricopa edu>> wrote: All, I have seen some threads on phishing in the past, but have a very specific question. When you started your phishing campaign/ program, did you notify your staff / faculty that the stimulations were coming (and not to worry about getting in trouble for failing)? I know KnowBe4 suggests not informing the population prior to doing a baseline. I've heard some pretty bad horror stories about the faculty not being too happy about getting a test phishing email sprung on them out of the blue. I personally don't see a huge upside to not letting them know what the broader campaign is about and how it supports the infosec program. I would be surprised if it would scewd the results much. We already send out notifications when a real campaign is active. Appreciate your input. Hope your enjoying the summer. Best, Dave -- [Maricopa Community College District Office logo] DAVID EILKEN MARICOPA COMMUNITY COLLEGES Information Security Officer | ITS 2411 West 14th Street, Tempe, AZ 85281 david.eilken () domail maricopa edu<mailto:david.eilken () domail maricopa edu> https://www.maricopa.edu/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.maricopa.edu%2F&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706818984&sdata=8DsekC5cogQENrkzRrpMKqREjCSGbW%2FOAMmHJr8h6r4%3D&reserved=0> O: 480-784-0637 LinkedIn <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkedin.com%2Fschool%2Fmaricopa-community-colleges&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706828986&sdata=TJ8vS6aztZX3bmRX8Jt3G99sZK%2FzB3aRQ8B8AeTsayI%3D&reserved=0> | Twitter <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fmcccd&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706828986&sdata=ZIQ0f1h3Mp2yPIE83VplRJMKxorA%2FGtMCdGHdhZRf8E%3D&reserved=0> | Facebook<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fmaricopa.edu&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Ce7d2c85567964a8f55bc08d6effca45c%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636960265706838973&sdata=ylnGT1gym4MYPUcN0CDmSL9JHxVwrmfqW5HWj0349v8%3D&reserved=0>
Current thread:
- Re: Initial Phishing Simulation - Do you tell them first?, (continued)
- Re: Initial Phishing Simulation - Do you tell them first? Scott Stoops (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Dennis Bolton (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Sonder, Henk E. (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Valerie Vogel (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Jason Fried (Jun 13)
- Re: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Gregg, Christopher S. (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Brad Judy (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Rob Milman (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Valerie Vogel (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Scott Stoops (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Ken Connelly (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Watkins, Jameson (Jun 18)
- Re: Initial Phishing Simulation - Do you tell them first? Brian Basgen (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
- Re: (WARNING) Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Richard Siedzik (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? David Eilken (Jun 17)