Public Facing Faculty listings

["George J. Silowash" <gsilowas () NORWICH EDU>]

We have recently seen an uptick in phishing attacks utilizing faculty information published on our website. The 
malicious actors are able to identify department heads and their subordinates. The malicious actors then use this 
information to target a department head’s subordinates utilizing “legitimate” Gmail accounts posing as the department 
head to send phishing emails.

I have proposed removing individual contact information on the website and use contact forms, a department email 
account, along with several other methods to make it more difficult for the bad actors. I have been met with a great 
deal of resistance. 

Have you seen this problem? What are you doing to mitigate the risk (beyond training)? Does your website list faculty 
information? Are faulty required to have their information posted and/or can they opt out? Does your site take any 
steps to make it more difficult or costly (ie using CAPTCHAs to obtain information)? I am looking for options to help 
balance leadership’s desire to have public facing directory information with that of risks to individuals and the 
institution.

Any thoughts on this would be helpful.

V/R,
George
----------------------------------------------------------------
George J. Silowash, MSIA, CISSP-ISSMP, CCFP, GCFE, GCFA
Chief Information Security Officer
Norwich University
158 Harmon Drive
Northfield VT 05663
http://www.norwich.edu 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community