I recently shared this info on the RESNET list, so I apologize if anyone is
also on that list and has seen it already.  :)

-Becky Klein

Here at Valpo, we do several things to help educate our community about
cyber threats.

~ First, we use GSuite for email/collaboration.  So Gmail automatically
blocks a lot of the offending things (such as .exe files), and has great
spam filtering.  We try to teach people how to use the "report spam" and
"report phishing" tools within Gmail to help filter the bad stuff out that
does slip through.

~ When we start receiving numerous identical reports of phishing scams
circulating campus, we send a campus-wide email reminding people to not
share their login information.  It usually includes a description of the
current scam and points out indicators that show it's not legitimate.  (I
can forward one of the more recent examples if that would be helpful.)
 Over the years we've had a lot of people fall victim, from international
students all the way up to high-ranking administrators.  Since we started
emailing campus though (which is probably 3-4 years ago now), the number of
victims has dropped dramatically.  We have a couple YouTube videos about
how to recognize phishing and how to recover from falling victim, and we
share those with people to help educate them (both those who are victims,
and proactively in our messaging).
Phishing awareness: https://youtu.be/ZCYsq0wunAM
Recovering from phishing: https://youtu.be/5uRb5vmwYe0

~ For 4-5 years now, we've put together a campaign every October for
National Cyber Security Awareness Month.  I sign us up as a champion, and
the campaign has now gotten pretty big: weekly campus-wide emails, daily
social media posts, a special page on our website, workshops on campus on
security topics (password management, avoiding malware/ransomware, etc),
slides for our digital screens, posters distributed in all buildings on
campus, table toppers in dining areas, buttons with the NCSAM logo (it's
amazing how much students love these), customized workshops available for
departments on request.  This year I also initiated the "Crusader Cyber
Citizen Pledge" (which I shamelessly stole from Florida State) outlining
best practices to protect yourself, and promoted that pretty heavily -
including a table in our student union with free candy to encourage people
to sign.

~ I also sign us up as a champion for Data Privacy Day each January, and
craft a small campaign for that

~ For as long as I can remember (I've been on staff since '96 when I was
still a student), we've given administrator rights to all users on their
computers.  A couple months ago we had a situation where a staff member in
one of the colleges installed a "registry cleaner" on her 2-week old campus
computer; of course it was ransomware in disguise.  Since it cost 4 IT
staff members a couple days' time, and affected the files of almost 200
people on campus as it spread, we are now starting work on changing this
policy to no longer give admin rights.  It's going to include a campaign to
let people know why we're making the change.

~ We also had a situation a couple months ago where a traveling advancement
officer got infected with ransomware while at a hotel.  I gave a custom
presentation to his entire department on how to protect yourself from cyber
threats while traveling.

It seems that most people who fall victim are appropriately embarrassed and
they don't tend to repeat their mistakes.  They also end up being
ambassadors to others in helping them to avoid the same thing happening to

What terrifies me the most is whether the scammers will start using my name
on their nefarious messages.  I handle all the communications for the IT
department, so people recognize and trust my name.  (No pressure!!)  If
they start using my name, then it's game over - we'll end up with way too
many victims.

On Mon, Nov 21, 2016 at 9:18 AM, Anita McCarthy <[log in to unmask]>

> Wondering if anyone has any successful best practices, techniques,  or
> tools that have worked for your school to combat the increase in phishing
> attacks aimed at higher ed (phishing etc.)
> In addressing this issue our plan is to educate our students and staff and
> raise awareness on the topic of Phishing through blog posts, posters and
> training. I have looked into simulation systems but they are extremely
> expensive.
> *Anita McCarthy, M.S.*
> *Training Coordinator, ITS*
> Riverdale, NY 10471
> Phone: 718-862-7407
> [log in to unmask]
> www.manhattan.edu
> <http://itsblog.manhattan.edu/>
> <http://manhattan.edu/its>
> *-Have a question? * Check our Knowledge Base
> <https://manhattan.teamdynamix.com/TDClient/KB/Default>
> Check on your tickets here
> <https://manhattan.teamdynamix.com/TDClient/Requests/TicketRequests/>.
> Have you transitioned to Drive yet? Learn more here
> <http://itsblog.manhattan.edu/p/google-drive-one-place-to-create.html> or
> ask ITS.
> Click here
> <https://manhattan.teamdynamix.com/TDClient/KB/Default?CategoryID=1022> for
> instructions on how to transition.
> ********** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> groups/.


Becky (Belmont '97) Klein
Manager of IT Communications
Valparaiso University
Office of Information Technology
Phone: 219.464.5986

*New skills. Improved skills. Now. Login to Lynda.com

Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.