Educause Security Discussion mailing list archives
Re: Initial Phishing Simulation - Do you tell them first?
From: Dennis Bolton <bolton () OAKLAND EDU>
Date: Thu, 13 Jun 2019 08:02:02 -0400
Hi Dave, We are early in our Phishing roll out and have so far limited campaigns to our Central and Distributed Technology staff. We gave them a heads-up that Central IT was going to start a phishing awareness education campaign in the near future but didn't give them specifics. We waited about a week and then sent the first round of emails. I think the prior notice made our staff more receptive and open to discussion, and I don't believe it had a significant impact on the results. Dennis Bolton Information Security Officer Oakland University Dodge Hall Rm 220 118 Library Drive Rochester, MI 48309-4401 248-370-4803 On Thu, Jun 13, 2019 at 7:50 AM Scott Stoops <sstoops () ashland edu> wrote:
We chose to not notify our faculty/staff/students when we did a phishing campaign for the reason that we did not want folks to know. We felt that knowledge would skew the results. However, we had support from leadership to do this. On the day of the campaign only a few people at the university knew the campaign was taking place. We also intentionally did not do the communications we would do normally. Once a statement was made to the community it came from the president and not from IT. There were employees who were not happy with how we handled this. Going forward we would communicate more about the overall goals of awareness training and evaluation. I would still take the view that we would not tell people when the phishing test is being done. My hope is that they would not fall for the attempt because the awareness training is effective rather than that they were aware that a test was being performed. If we present the overall campaign as a training tool then we should be able to reduce anxiety about being "caught". -------------------------------------------------------------------------------------------------- Scott Stoops, CISSP Security Analyst Engineer III Office of Information Technology | 100 Patterson Technology Center Ashland, OH 44805 (w) 419-289-5405 sstoops () ashland edu On Wed, Jun 12, 2019 at 9:51 PM David Eilken < david.eilken () domail maricopa edu> wrote:All, I have seen some threads on phishing in the past, but have a very specific question. When you started your phishing campaign/ program, did you notify your staff / faculty that the stimulations were coming (and not to worry about getting in trouble for failing)? I know KnowBe4 suggests not informing the population prior to doing a baseline. I've heard some pretty bad horror stories about the faculty not being too happy about getting a test phishing email sprung on them out of the blue. I personally don't see a huge upside to not letting them know what the broader campaign is about and how it supports the infosec program. I would be surprised if it would scewd the results much. We already send out notifications when a real campaign is active. Appreciate your input. Hope your enjoying the summer. Best, Dave -- [image: Maricopa Community College District Office logo] DAVID EILKEN MARICOPA COMMUNITY COLLEGES Information Security Officer | ITS 2411 West 14th Street, Tempe, AZ 85281 david.eilken () domail maricopa edu https://www.maricopa.edu/ O: 480-784-0637 LinkedIn <https://linkedin.com/school/maricopa-community-colleges>| Twitter <https://twitter.com/mcccd>| Facebook <https://www.facebook.com/maricopa.edu>
-- Dennis Bolton Information Security Officer Oakland University Dodge Hall Rm 220 118 Library Drive Rochester, MI 48309-4401 248-370-4803
Current thread:
- Initial Phishing Simulation - Do you tell them first? David Eilken (Jun 12)
- Re: Initial Phishing Simulation - Do you tell them first? Scott Stoops (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Dennis Bolton (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Sonder, Henk E. (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Valerie Vogel (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Jason Fried (Jun 13)
- Re: [External] Re: [SECURITY] Initial Phishing Simulation - Do you tell them first? Gregg, Christopher S. (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Brad Judy (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Rob Milman (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Valerie Vogel (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Scott Stoops (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Ken Connelly (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Neal O'Farrell (Jun 13)
- Re: Initial Phishing Simulation - Do you tell them first? Hart, Michael (Jun 13)