February 2015
EDUCAUSE IT Communicators Online Coffee Shop Meeting Notes for 2.6.15
Presenter: Andrea Tanner, Director of Enterprise Support for the Division of Information Technology, Eastern Michigan University.
Topic: “Boot (or Reboot) Your Security Awareness Program”
Participants: 27
Presentation Notes:
In 2012:
· We operated in a vacuum
· Not successful program
· Then, a professor asked if they would like to collaborate on a security awareness effort
· Collaborated with IT, College of Tech, Faculty and Communications
· We created a mission
· Team of 5 people, from across the campus
o No one is a full-time security employee
o This is part of our other responsibilities
o In this slide, see our team in T-shirts with our logo - very popular
· Strategy
o Defined a campaign for 2-3 years
§ Three main topics:
· Clicking (be careful what you click)
· Posting (be careful where you post your info)
· Typing (be careful where you type your password)
o Define with graphic identity, which changes every 2-3 years
§ Branding
§ Logo designed by a student
§ Launched a kickoff with three cartoons (one for each topic); commissioned an alumnus who was good with cartooning and was a contact of one of the committee members.
§ Launched with kickoff during National Cyber Security Awareness Month
o Created videos with animated mascots
§ Video topics included choosing strong passwords
§ Well produced good videos but they have low views; need to promote more to get the message out to users
o Promote with shirt giveaways
§ Cool logo generated interest
§ Tshirts with interesting logos are popular. Ours are one of the only black Tshirts on campus and feedback is that their owners LOVE having a black Eastern Tshirt.
o Different timing of campaigns at various times of the year
§ Sticky notes campaign
· We looked for computers across campus and tag them with a customized sticky note (vista print) that identifies it as an unsecured computer
· Be sure you get permission from departments in advance — before you start putting sticky notes on computers!
· Custom sticky notes (we used Vista Print)
o Refreshed website
§ Still a work in progress
§ Use current issues, safety tips
§ Website: http://www.emich.edu/it/security/initiatives/cybersac/cybersac.php
§
o Social media bursts
§ University Marketing department does social media, but we don’t.
§ So, we give them the content
§ We give them the graphics
· Facebook cover – users can download and temporarily change their own FB cover to promote our campaign
o Faculty doing skits (C2)
§ The group is an Eastern Michigan tradition; we asked them to put together a computer safety skit and they did an excellent job. The actors were scattered across the dining room during lunch and stood up at different times, calling out to each other and across the room; one was a "phish" - click me, click me. Another stood up and yelled something like “OMG, my bank account just got emptied.”
· Very popular, very effective. People came over to the info table for more details.
· Present at orientation, various events
· Created a lot of interest among unsuspecting students in the crowd
· Get permission of building/unit in advance to these types of “flash skits”
o Faculty connect/engagement presentation
§ Turned presentation into a Q&A
· What do I do if my computer is compromised?
· How do I put a passcode on my phone to make it more secure?
§ Professional development seminars
§ Very effective
o Keep it alive monthly-always promote!
§ Sometimes, just new posters or engagement tables
§ During national security incidents, send new messages
§ Keep alive in a person’s mind to always stay secure
§ Tie in with national or local events; ex: Home Depot data loss, some of the literature indicated the break-in might have begun with phishing.
o Posters, table tents
§ Always keep logo
§ Keep characters in all printed materials
§ QR Code note: We added the URL at the bottom of the media, found a more people take pictures of the media than actually use the QR code.
o Bookmarks
§ In library with new book checkouts, libraries willing to distribute
§ Also, hand out at bookstore
o Print advertisement
§ Student newspaper (3 times a week) is wildly popular, can’t afford to advertise every week so we hit high traffic times like homecoming.
· We post ads in color during special weeks when readership is higher
· Graphics were excellent! (Comment by ITComm audience)
· Q from ITComm: did the cartoonist work on the other media for the duration of the campaign? No, we’ll hire the cartoonist again for a refresh, but others handle the graphics for the bookmarks, posters, web site, etc.
· PhishMe: Product we purchase to send fake phishing emails to our community in order to gauge their response (number of clicks, number of people who gave their username and/or password) and to use as a security awareness/education tool
§ We have permission to phish our staff
§ Faculty are opt-in; staff are mandatory to participate; students: not enough money in budget to expand to students
§ Send fake messages and URLs encouraging people to take action
§ When we create a really clever message, we get amazing results. The users actually give up their username and passwords.
§ Of course, we don’t keep password; it is discarded immediately, not retained in the PhishMe application.
§ Immediate response to the user, like “you have been caught/ phished” and some staff have even begun talking about it socially, like “oh, you clicked that one.”
§ Generally very positive results, the most-likely clicked links were in university-style messages like “Dining Services has a sale on…” but make sure you clear it with the department that is being spoofed in the PhishMe message! They will get a lot of calls about the message.
§ Not a penalty
§ No record of who falls for phish (specific individuals)
§ Our faculty didn’t want data showing who participated and didn’t (staff vs. faculty)
§ Staff responses: We get more thanks or treating like a game, instead of anger about sending these phishes.
§ We market heavily as a security tool: Rather you learn your lesson with this, instead of you learning the hard way with your personal accounts.
§ No public humiliation at all. No names revealed. Only aggregate data on number of people who responded; number of clicks, etc.
§ Do you measure success over time to show effectiveness?
· Yes, with PhishMe.
· Not with marketing pieces (table tents, fliers, etc.)
§ Is there data comparison with other institutions?
· Andrea not aware of other universities using PhishMe
· Would love to talk to anyone at another university who is using PhishMe
· Also, the data comparison proved that most phishing links are clicked in the first hour of the campaign, so our messages after people started reporting them saying “don’t click that link” were too late to be effective.
§ How did you publish the PhishMe results?
· Publish on our website
· Website: http://www.emich.edu/it/security/initiatives/cybersac/phishme.php
· When people give away their password, a video instantly shows to explain they fell for a phish
· We try to craft a variety of phish emails: Easy, hard, university oriented messages (get approval from those departments first)
o Ex: “Click on this email to get a big discount on meals in the dining halls!”
o First hour, that’s when most people act on phishing emails.
· Engagement tables: Special tables set up at library to help students on specific security issues or topics
o Most popular table was when we set up “CrackMe” – an application to show how fast a password could be cracked. Nothing was stored, no passwords were compromised in this activity. People stood in line to play. Said they would stand in line to play even if there were no give-aways. The Library asked us to change the logistics because our line actually blocked their entrance for a little while.
o Very time intensive, but very effective – if you want people to take action, you need to make it easy for them to do so in person. Tables work best early in the campaign, traffic dwindles after two days.
o Mobile security device handouts
§ iOS, Windows, Android
§ Very popular handouts
§ Lots of people didn’t know you could do those things
o Very effective in helping people at engagement tables
§ We noticed spike in password changes on days when we’ve had password changing engagement tables
· Data shows our effectiveness
· Best ROI: Engagement Tables
o Staff time
o You don’t really need a bunch of swag, but just being there
· Next best ROI: PhishMe
o It is costly, but effective
o Fund every year
· Our budget
o Across several units to fund our efforts
o No set budget for security
o PhishMe: license for 1,000 staff is $20,000 estimated
o Shirts and other marketing materials: $3,000-$4,000 a year
o We have fun with this effort with faculty, staff
§ Fun! Fun!
§ Collaborative effort is fun
· Resources:
o Highly recommend watching “Creating a Powerful User Defense Against Attackers” on youtube: http://youtu.be/KVkmtfKVgUA - although it's long, it has very good info.
o Password checker: http://hsimp.ihopeit.works/
End of Andrea Tanner’s presentation
Notes taken by Kerri Testement, University of Georgia, and Carlyn Chatfield, Rice University.
-----------------
General discussion after presentation; notes not taken. Chat notes for session follow.
· Carlyn @ Rice U: Hello, everyone! What's is your weather right now? Houston has gray skies, but no rain.
· Sarah @UGA: Athens is cold but sunny and beautiful!
· Trish Harrison: Beautiful and sunny in Las Vegas!
· Deb Dexter: We're frozen in Mass, and will be buried in snow come Monday!
· David @ Univ of KS: Lawrence, KS is sunny and 41 degrees following brutal cold yesterday
· Trish H @ UNLV: Happy Friday everyone
· Pat Falcon (Brown University): Sunny but icy & 18 degrees here in RI
· Gary@VCU: 23 degrees and sunny with blue skies in Richmond. \
Jennifer @ Penn State: Hi everyone! All of the participants are on mute right now. If you have any questions, please don't hesitate to post them here.
· Trish H @ UNLV: Do you find much traffic through the QR codes?
· Stan - NC State: Wonderful ideas and resources!
· Clark: Is this meeting being recorded (can it be viewed later?)
· Trish H @ UNLV: TY - we go back and forth on the use of QR codes
· Trish H @ UNLV: Yes thank you!
· Jennifer @ Penn State: It is actually not being recorded, but Carlyn is taking lots of notes and Andrea can share her slides out later
· Carlyn @ Rice U: Did the cartoonist participate in any other media or only the three initial cartoons?
· Rick Lesniak - SUNY U. Buffalo: We've abandoned use of table tent cards. Followup metrix reveals them to be not worth the investments. Better are Bus Headliners, Residence Hall posters.
· Trish H @ UNLV: Do they get annoyed or feel tricked when they get phished? Like IT is "trapping" them? We've had some debates on how this would be received by staff.
· Jennifer @ Penn State: Good question, I will ask in just one moment!
· Trish H @ UNLV: We are hot in the middle of security campaign planning so lots of questions today TY
· Trish H @ UNLV: Oh, interesting. Good news!
· Jennifer @ Penn State: haha keep them coming, they are great questions!
· Trish H @ UNLV: We've had faculty go to our IRB about doing this, they were fine with it as long as we weren't going to publish results.
· Deb Dexter: Is the "lesson learned "private so no public humiliation?
· Trish H @ UNLV: Yes! Thanks again.
· Deb Dexter: thanks
· Rick Lesniak - SUNY U. Buffalo: Do you measure the effect over time, to see if your campaign is being effective?
· Brad @ Findlay: Is there data comparison from your staff & others? Wondering if your program has cut down the numbers?
· Brad @ Findlay: No with other universities?
· Rhonda @ NC STATE: How did you publish the PhishMe results to employees?
· Pat Falcon (Brown University): We've found that only about 10% of compromised accounts belonged to staff and around 6% for faculty, with 50% belonging to undergrads (for this past fall semester). I understand about funding and that the higher risk to the institution may come from staff and faculty compromises, but know from these numbers that we need to focus our efforts on the students. We don't use Phish Me.
· Greg Stauffer: We do proactive phishing at CU-Boulder, but I'm not sure what tool is used for that.
· Trish H @ UNLV: We've been looking at the SANS Securing the Human Phishing VLE, sounds similar to PhishMe
· Jennifer @ Penn State: http://www.emich.edu/it/security/initiatives/cybersac/cybersac.php
· Jennifer @ Penn State: Here's the published information:http://www.emich.edu/it/security/initiatives/cybersac/phishme.php
· Trish H @ UNLV: We did this once - only had one person say "i'm not putting in my password into some random tablet!" - They got a high five.
· Trish H @ UNLV: What effort would you say has given you the best ROI?
· David @ Univ of KS: Will the presentation be available by PDF after the webinar? Please, Please!
· Jennifer @ Penn State: Hi David - They will definitely be available, but I defer to Carlyn and Andrea as to the format!
· Carlyn @ Rice U: Yes, PPT slides will be available with notes in ITComm wiki. I'll try to convert to PDF as well.
· Trish H @ UNLV: Thank you!
· Chad @ CC: Yes, thank you - very valuable!
· Darrell: I just got into the session. Is there a recorded version. Sorry to be late
· Carlyn @ Rice U: I took notes and will pubish on the ITComm wiki with slides. I did not take notes during discussion
· David @ Univ of KS: Are you comfortable sharing the budget for the campaign? Did you begin with a set budget in mind?
· David @ Univ of KS: Thank you! Great information! Love the creative graphic design for the campaign
· Trish H @ UNLV: the SANS Phishing VLE displays a "OOPS! You were phished." webpage as well
· Trish H @ UNLV: Does PhishMe let you send emails from your university email domain? (@emich.edu)
· Trish H @ UNLV: Yes - thank you. the SANS Phishing VLE does not.
· Trish H @ UNLV: No more question - thanks for sharing your experience!
· Patrick @ U. Oregon: Thank you, Andrea
· Deb Dexter: what's the next coffee shop?
· Deb Dexter: the anthem discussion is interesting
· Carlyn @ Rice: nice CIO response to ITComm question, is Mitch online now?
· Mitch @ Bowdoin: I am
Mitch made a verbal comment about no one in IT being singled out for praise –we’re all one IT organization.
· Trish H @ UNLV: Credit or blame! (no one singled out)
Question about sending messages to campus re: external incidents (anthem, etc.), also guest speakers during NCSAM or other security events
· Trish H @ UNLV: Agreed - we could send a notice every day if we tried to keep everyone up to date on everything. Unless it's something that directly involves us, we don't send "official" communications, but we'll share articles on our social media pages for the "big" scares.
· Deb Dexter: we have esteemed faculty present on the topic
· Carlyn @ Rice U: The fraud prevention specialist from a regional bank is our most popular security speaker. Next fave is a lawyer specializing in HIPAA and medical center security issues.
· Trish H @ UNLV: I reached out to have the Terms & Conditions May Apply movie brought to campus to show and then do a facilitated discussion, but the company has not gotten back to me (multiple times) :/
· Carlyn @ Rice U: Oh, I got Terms and Conditions May Apply last year. We have a campus license -not very expensive - to put it in our LMS so anyone with a Rice NetID can see it.
· Trish H @ UNLV: Oh, didn't know that was an option Carlyn. I'll look into it!
· Trish H @ UNLV: We were able to have Kevin Mitnick speak to a class once, his intern was in the class -- that was amazing.
· Trish H @ UNLV: Does anyone do IT Securiti Certifications or mandatory IT training?
· Trish H @ UNLV: Another debated topic - whether people would opt-in, or only do it if required.
· Rhonda @ NC STATE: Awesome presentation Andrea! Enjoyed hearing about your creative approaches to IT Security Awareness, including the collaboration among the different campus units.
· Brad @ Findlay: Thank you was great
· Trish H @ UNLV: Yes! Always great to connect with others. TY.
· Mitch @ Bowdoin: Thank you!
· Carlyn @ Rice U: Great job, Kerri and Andrea! See you next time!
· Trish H @ UNLV: Thanks everyone! Have a great weekend.
· Laura@UGA: thank you!
· Jennifer @ Penn State: Thanks everyone! Have a good one!