Teach your college to ignore the cyberbait

Mock phishing emails boost security by showing everyone what hacking attempts look like

It’s no secret that insufficient cybersecurity is a concern on the minds of many in higher education. From IT support staff to upper-level administration, everyone wants to protect student data from the hackers who hope to pilfer it.

In the March UB “On Topic Q&A,” security and risk consultant Joanne Martin indicated that students and faculty should be made aware of the seriousness of cybersecurity threats. She suggested “fake emails” should be sent to students to gauge their response to phishing attempts.

The Christ College of Nursing and Health Sciences has subscribed to this practice for two years, and resulting data suggests it did increase awareness.

Uncovering the problem

In August 2016, a vendor-generated mock phishing email was sent to 873 of our students, faculty and staff (90 percent of the total population), prompting them to click on a link to change their password. Some 142 people “failed” by either clicking on the link and/or submitting a new password.

After that first test, the Educational Technology Department launched an aggressive campaign to educate our community about the risks associated with phishing emails. Messages were carefully crafted and disseminated by way of the college’s most visible and well-received channels—digital signage and our Blackboard LMS.

Messages focused specifically on the threats associated with phishing, reminding our users that they should not respond to emails requesting sensitive data such as passwords.

Additionally, the Ed Tech staff began offering a consistent schedule of hourlong cybersecurity workshops that offered incentives for attendance. Workshop topics included phishing, identity theft, password security, malware, virus protection, and safe use of public Wi-Fi and social media.

A lot less failure

Approximately three months after the first mock phishing email was sent and the campaign was launched, a second email was sent to 761 students, faculty and staff. This time, only four people failed. That’s less than 0.5 percent, reduced from a nearly 16 percent failure rate in the first test.

Those who failed the second test were contacted by Ed Tech staff regarding the importance of cybersecurity; they were sent a link to a computer-based cybersecurity training module and encouraged to attend a workshop.

Since 2016, Ed Tech has ramped up its efforts to ensure continued awareness of cybersecurity. A cybersecurity workshop is now included in a mandatory student registration event held each semester. Students, faculty and staff must complete an annual safety-and-wellness training that includes workshop content.

The most recent test of 1,076 users resulted in a 99.5 percent pass rate. The success of campaign efforts continue to be validated.

Best practices

Others who seek to develop a cybersecurity campaign should consider the following advice, based on lessons learned:  

  • Make training and messaging relevant. Our students learned how regularly colleges and health care providers are targeted by phishing emails. Students need to understand how frequently they will be baited for their access to patient health information.  
  • Look for opportunities to weave the training content into courses and orientations, where appropriate.
  • Write a cybersecurity awareness initiative into a departmental or strategic plan to ensure that resources are dedicated to the effort.
  • Track data over time to ensure ongoing effectiveness of training efforts.
  • Track users to identify repeat offenders who need extra training. 

Meghan Hollowell is dean of College Support Services at The Christ College of Nursing and Health Sciences.

Most Popular