Body
Higher education is facing some serious cyber threats from malicious actors these days. A threat that can also have dire consequences is lack of employee cyber security awareness, viz. employees (staff and faculty) who are insufficiently aware of behaviors that create risk to systems, the network, or confidential information. Clicking on phishing emails (deceptive emails that attempt to get the recipient to take an action that gives a cybercriminal unauthorized access, confidential information, or the ability to steal financial information) is one example of careless behavior by employees. Moreover, clicking on phishing emails is a tactic used in most privacy and cyber security breaches, including the CCC breach.
What can we as a community do about these threats?
It would be nice if the solution to defending against phishing email attacks and other cyber threats was as simple as everyone attending a cyber security awareness training class. Unfortunately, training doesn’t automatically change behaviors. To affect positive change in this area, all employees need exposure to cyber exercises to reinforce behaviors that help keep us safe. Fire drills are based on this principle.
To facilitate awareness and promote positive behaviors when encountering phishing emails, the Technology department has made an investment in KnowBe4, a product popular with higher education; several COF schools use this same tool for phishing awareness and education (e.g., Wentworth and Emmanuel).
What is changing for MassArt staff and faculty?
In the coming weeks and months, the College’s Information Security Officer, Bryce Cunningham, will be sending simulated phishing emails to MassArt staff and faculty on a random schedule. Not everyone will get these emails the same day, nor will everyone get the same email, but everyone will receive the same number over the same period of time.
What is the purpose of the exercises?
The goal of a phishing exercise is to reinforce proper, and improve poor, cyber security hygiene. In practical terms, cyber hygiene in this instance means following the steps to evaluate an email for legitimacy and responding appropriately if it's suspected to be malicious.
Awareness is a process, and phishing exercises are a way to accelerate both the building of good cyber habits and getting us closer to the ideal outcome we all want: No employee ever being deceived by a phishing email.
The exercise begins when you receive a simulated phishing email from me. It shouldn’t be obvious the email is part of an exercise because it will have most of the characteristics of a true phishing email. The subject of the email could be anything, such as current events, government notices, or IT alerts, and will use tactics cybercriminals have used successfully to get their victims to click. If you do click on a link or an attachment in a simulated phishing email you’ll be redirected to an educational web page. Please read this page! It will remind you to practice good cyber hygiene when evaluating emails. Otherwise, you won’t get the full benefit. And don’t feel badly if you do click: The objective is to improve your awareness of – and resiliency to – deceptive email tactics. These are safe, educational emails and nothing truly malicious is in the links, images, or file attachments.
Phishing awareness exercises are an important milestone for MassArt. Our expectation is that over time our community will be demonstrably less vulnerable to phishing attacks as a result of these exercises vs. prior to phishing drills. Please contact me any time with questions about the phishing exercises or other information security topics.