Educause Security Discussion mailing list archives
Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice
From: Michael Duff <mjduff () STANFORD EDU>
Date: Mon, 17 Dec 2018 17:30:26 +0000
At Stanford, we conduct weekly simulated phishing campaigns for all employees -- see phishing.stanford.edu<http://phishing.stanford.edu>. My philosophy is that it needs to be frequent in order to provide effective training, otherwise it's merely testing susceptibility. Our phishing awareness program has been very successful thanks to our well planned advance communications and because we position it as "no harm, no foul". Tad Perillo (cc'd) leads the program and can provide more information upon request. Michael Duff Assistant Vice President and Chief Information Security Officer Stanford | University IT michael.duff () stanford edu<mailto:michael.duff () stanford edu> 650-721-3111 On Dec 17, 2018, at 8:38 AM, Allan Chen <allanchen () MUHLENBERG EDU<mailto:allanchen () MUHLENBERG EDU>> wrote: Alexander, You run monthly phishing simulations? Do you set them up so that it's obvious that it's a simulation? Do you run them monthly across the entire institution? That seems pretty frequent, and I worry that if we tried that here that the community would feel we are trying to "trick" them on a regular basis. Faculty, in particular. I know monthly is considered the standard in industry. Higher ed is weird, we all know. allan Chief Information Officer Muhlenberg College<http://www.muhlenberg.edu> 484-664-3464 Office of Information Technology Blog<http://it.blogs.muhlenberg.edu> twitter: @kaiyen<https://twitter.com/kaiyen> On Mon, Dec 17, 2018 at 11:23 AM Alexander Johnson <000000a201751165-dmarc-request () listserv educause edu<mailto:000000a201751165-dmarc-request () listserv educause edu>> wrote: Ashley, Our institution uses Knowbe4 for this purpose. We have seen great results. We require our full-time staff/faculty to complete yearly training that covers basic threats that our users may encounter. This coupled with monthly phishing simulations has greatly increased awareness. In fact, users are now overly cautious when it comes to email but this is handy when something inevitably get past our spam filter. I’m happy to answer any specific questions you have via email or phone. Alexander Johnson Network Administrator Information Technology o: 918.335.6295 m:918.332.6587 OKLAHOMA WESLEYAN UNIVERSITY <image001.png><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fna01.safelinks.protection.outlook.com%2f%3furl%3dhttp%253A%252F%252Fwww.okwu.edu%252F%26data%3d01%257C01%257CBrett.Nelson%2540arris.com%257C9b9489fd9ee64cb4d07a08d5e37d7607%257Cf27929ade5544d55837ac561519c3091%257C1%26sdata%3du%252FwuLCi7nXTTm23ZCJO4YUsv3Rd67rU5DtFd1g%252BPmCQ%253D%26reserved%3d0&c=E,1,7zX8hnkU4k3O9q9fFaxjt4gZjo9olZYy3D2ATJtT1VrO3pzLemageCtZMhUAqSpXgMLngR3dBJz199bzlolPj-mmbSlG-6CmRIeanoTWVjQ,&typo=1> <image002.png><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fna01.safelinks.protection.outlook.com%2f%3furl%3dhttp%253A%252F%252Fwww.okwueagles.com%252F%26data%3d01%257C01%257CBrett.Nelson%2540arris.com%257C9b9489fd9ee64cb4d07a08d5e37d7607%257Cf27929ade5544d55837ac561519c3091%257C1%26sdata%3dqqfnntGI8HTE8MWCSQ%252BkiTQuM3kkg31wqqCF1onSXUU%253D%26reserved%3d0&c=E,1,X_25xVM06z2xeIwnjacGdtKe9I9jn8-sMynbc0AcT_L0EJoGJsuE5cs3h5c-497IN7UvL9iAJ6m2Zsecy_PcnI_52TwmLv9Su_cCr9Y1fQ,,&typo=1> <image003.png><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fna01.safelinks.protection.outlook.com%2f%3furl%3dhttp%253A%252F%252Fwww.facebook.com%252Fokwuniv%26data%3d01%257C01%257CBrett.Nelson%2540arris.com%257C9b9489fd9ee64cb4d07a08d5e37d7607%257Cf27929ade5544d55837ac561519c3091%257C1%26sdata%3d0BXM6ydAOlpq%252F%252FrX%252FZjHwhRCvwgH8625d10rvutr3s4%253D%26reserved%3d0&c=E,1,j03KOOLeawEqRgNOFcd0M6jOllWA_iaUTXcvBsBVWAqUEc_2FSkCtA7pn2W4XLDnsij8rddmp5NI_Dud87K3HkxmC1lRhEpHdG8jOsA--Oi_5cnilg,,&typo=1> <image004.png><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fna01.safelinks.protection.outlook.com%2f%3furl%3dhttp%253A%252F%252Fwww.twitter.com%252Fokwuniv%26data%3d01%257C01%257CBrett.Nelson%2540arris.com%257C9b9489fd9ee64cb4d07a08d5e37d7607%257Cf27929ade5544d55837ac561519c3091%257C1%26sdata%3dHyaGXY6Lpssh98aCrE%252FPnW0rNF3ewpP0bhFkrPW3Rrs%253D%26reserved%3d0&c=E,1,0vO2_GHutdNUsI_cWf3uNSImZTDn0U5TuyZQt1HwXHLMn0N7DZMLTqpOmsbou_ntVKD4tHRTq3YLmvrHxfbSj7C3nIUMkYiTU4p4uqMArMqi&typo=1> <image005.png><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fna01.safelinks.protection.outlook.com%2f%3furl%3dhttp%253A%252F%252Fwww.instagram.com%252Fokwuniv%26data%3d01%257C01%257CBrett.Nelson%2540arris.com%257C9b9489fd9ee64cb4d07a08d5e37d7607%257Cf27929ade5544d55837ac561519c3091%257C1%26sdata%3dMpab7i67Ktsfawj%252FjmFqqq0cZzpuy4FBConYyZkeEjg%253D%26reserved%3d0&c=E,1,tj5h1aQn6TiMquUFbTip0u6lH0csi6YNAUyGmmZ2Mtvt-avD8X7R4UKzgdEa0QljkUgkTx_ZxEQVfUgS9NTThy8Hv0Zu3uXjiyg1nxuHK4Bfw-fl1-o,&typo=1> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Valentijn, Ashley Sent: Monday, December 17, 2018 9:58 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Good morning, We want to launch an internal phishing simulation in order to better train our employees on recognizing phishing emails. Target participants are university faculty and staff. Any advice, suggestions, and/or recommendations on how to successfully implement such a simulation would be much appreciated. We are looking at possibly using GoPhish or Microsoft's new Phishing Attack Simulator. Thank you in advance! Feel free to send me a direct email or I am also open to the possibility of a quick phone call. Warm Regards, Ashley Valentijn Security Engineer Information Security Office University of Miami P: 305-284-4582 | E: axv749 () miami edu<mailto:axv749 () miami edu>
Current thread:
- Internal Phishing Simulation Advice Valentijn, Ashley (Dec 17)
- Re: Internal Phishing Simulation Advice Scantlin, Aaron J. (Dec 17)
- Re: Internal Phishing Simulation Advice Manjak, Martin (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Alexander Johnson (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Frank Barton (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Allan Chen (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Alexander Johnson (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Michael Duff (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Kevin Wilcox (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Alexander Johnson (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Kevin Wilcox (Dec 17)
- Re: [EXTERNAL] [SECURITY] Internal Phishing Simulation Advice Shahra Meshkaty (Dec 17)
- <Possible follow-ups>
- Re: Internal Phishing Simulation Advice Brad Judy (Dec 17)
- Re: Internal Phishing Simulation Advice Valerie Vogel (Dec 17)
- Re: Internal Phishing Simulation Advice Eric Weakland (Dec 17)
- Re: Internal Phishing Simulation Advice Valerie Vogel (Dec 17)