Educause Security Discussion mailing list archives
Re: Initial Phishing Simulation - Do you tell them first?
From: Eric Weakland <eric () AMERICAN EDU>
Date: Thu, 13 Jun 2019 13:51:39 +0000
David, I’m firmly in the Notify initially and stress it’s never punitive camp. We’ve been doing Phishing Awareness Simulations for 3+ years. Here is what AU did. 1. Executive buy in. We did a Pilot program with the President of the university and their cabinet at the time, since they were frequent spear phishing targets, they were very receptive. This gave us their buy in and support. They were sent phishing simulation messages and we were able to answer any of their questions and take their feedback – and the president sent a campus wide message announcing the program, stressing it was never going to be punitive and was supported by them. 2. Initial campus wide simulations were announced in advance in decreasing specificity over the 1st year. First we told them the simulation was coming on “Tuesday at 3:30pm” next time it was “Tuesday afternoon” then “sometime Tuesday” then “Sometime this week” and so on. After a semester, we started just sending once a semester messages reminding the community that we would be doing this monthly. 3. We do simulations once a month to all faculty and staff, and several extra times (once a week) during cybersecurity awareness month. 4. The executive (president and cabinet level) awareness and public sanctioning of the program has gone a long long way to overcoming any pushback from faculty and staff. Cheers, Eric Weakland, CISSP, CISM, CRISC, ITIL Director, Information Security Office of Information Technology American University eric at american.edu<http://american.edu/> 202.885.2241 ______________________________________________________________________ Emails from IT asking you to log in with a link are scams! No one from Microsoft is going to call you about your computer! The IRS isn’t going to call you and threaten legal action, unless you pay them using gift cards! From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of David Eilken <david.eilken () DOMAIL MARICOPA EDU> Reply-To: "david.eilken () domail maricopa edu" <david.eilken () DOMAIL MARICOPA EDU> Date: Wednesday, June 12, 2019 at 9:52 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Initial Phishing Simulation - Do you tell them first? All, I have seen some threads on phishing in the past, but have a very specific question. When you started your phishing campaign/ program, did you notify your staff / faculty that the stimulations were coming (and not to worry about getting in trouble for failing)? I know KnowBe4 suggests not informing the population prior to doing a baseline. I've heard some pretty bad horror stories about the faculty not being too happy about getting a test phishing email sprung on them out of the blue. I personally don't see a huge upside to not letting them know what the broader campaign is about and how it supports the infosec program. I would be surprised if it would scewd the results much. We already send out notifications when a real campaign is active. Appreciate your input. Hope your enjoying the summer. Best, Dave -- [Maricopa Community College District Office logo] DAVID EILKEN MARICOPA COMMUNITY COLLEGES Information Security Officer | ITS 2411 West 14th Street, Tempe, AZ 85281 david.eilken () domail maricopa edu<mailto:david.eilken () domail maricopa edu> https://www.maricopa.edu/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.maricopa.edu_&d=DwMFaQ&c=U0G0XJAMhEk_X0GAGzCL7Q&r=rwmQzQ83PyWVjNuYDJl11Kb0Rg61TcIkzm5etUZc0Gg&m=_vHsQKMGaWN3uIlE5fBoEImwZLXt2wPhBYgfqfYzbrQ&s=QKrlgmB1OQUFRduZL02cF2fvPgJHqFky-Xbr0F8nq-4&e=> O: 480-784-0637 LinkedIn <https://urldefense.proofpoint.com/v2/url?u=https-3A__linkedin.com_school_maricopa-2Dcommunity-2Dcolleges&d=DwMFaQ&c=U0G0XJAMhEk_X0GAGzCL7Q&r=rwmQzQ83PyWVjNuYDJl11Kb0Rg61TcIkzm5etUZc0Gg&m=_vHsQKMGaWN3uIlE5fBoEImwZLXt2wPhBYgfqfYzbrQ&s=fdZfTkvh1UhFdfphvzB979kZ760_fEF50F8AXCbegrk&e=> | Twitter <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_mcccd&d=DwMFaQ&c=U0G0XJAMhEk_X0GAGzCL7Q&r=rwmQzQ83PyWVjNuYDJl11Kb0Rg61TcIkzm5etUZc0Gg&m=_vHsQKMGaWN3uIlE5fBoEImwZLXt2wPhBYgfqfYzbrQ&s=LpPlVDEwPrqnFM-JiOugdT-uwpmlilfcE645px1ip9I&e=> | Facebook<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_maricopa.edu&d=DwMFaQ&c=U0G0XJAMhEk_X0GAGzCL7Q&r=rwmQzQ83PyWVjNuYDJl11Kb0Rg61TcIkzm5etUZc0Gg&m=_vHsQKMGaWN3uIlE5fBoEImwZLXt2wPhBYgfqfYzbrQ&s=XggMbFSLCWUnOa1RsvVqUoaibffxdEe2GyXLutZHF2Y&e=>
Current thread:
- Re: Initial Phishing Simulation - Do you tell them first?, (continued)
- Re: Initial Phishing Simulation - Do you tell them first? Jason Fried (Jun 13)
- Re: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Gregg, Christopher S. (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Brad Judy (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Rob Milman (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Ken Connelly (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Watkins, Jameson (Jun 18)
- Re: Initial Phishing Simulation - Do you tell them first? Brian Basgen (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
- Re: (WARNING) Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Richard Siedzik (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? David Eilken (Jun 17)