This past November, Drake University's Information Technology Services (ITS) department launched its first campus phishing quiz. We began using a new antiphishing tool in the spring that greatly decreased the number of suspicious e-mails arriving in campus inboxes. We also planned to relaunch a phishing assessment program that was on hold until our numbers went down. A phishing quiz seemed like a good way to stress the importance of identifying phishing e-mails and tie in with the phishing assessment program's relaunch. We kicked off our phishing education campaign around National Cyber Security Awareness Month (NCSAM) since it was a natural launching point, and it allowed to us to take advantage of the wealth of free resources provided by the National Cyber Security Alliance.
Drake is a relatively small campus with a small IT organization. We have approximately 3,300 undergraduate students, 1,700 graduate students, and 950 faculty and staff members. There are less than 50 ITS staff members, one IT security manager, and one IT communications manager — me.
So how did we make it work?
Plan, Plan, Plan
It was helpful that my office is next door to our IT security manager, as we spent a lot of time together planning this program over the spring and summer. Beginning in early May, we created a 28-point communication plan that spanned the end of September through early December. We tweeted, posted to Facebook, wrote articles for the weekly campus e-newsletter, hung posters, chalked messages on the campus sidewalks — we got the word out any way we could. We promoted NCSAM and online security during October, and ran the phishing quiz from November 1 to December 1. To minimize the amount of original content we needed to develop, we used NCSAM content where we could.
Get Leadership on Board
In early October, our IT security manager met with all of the key groups on campus, including the President's Council, Dean's Council, and All Staff Council. He presented them with our plans, as well as statistics about the percentage of inbound phishing e-mails sent to campus, to stress the importance of the campaign (80% of all e-mail messages sent to our campus are malicious in nature). All of the key stakeholders were informed and on board before we launched the quiz and the reboot of the phishing assessment tool.
Have a Hook
The campaign needed to get people's attention. ITS staff members stapled Swedish Fish to 1,500 business cards with phishing protection tips and the URL of the quiz. The cards were delivered by campus mail to every faculty and staff mailbox on campus, and fishbowls full of them were placed in the library, recreation center, and IT support center. These promotional pieces were designed to get everyone's attention and entice people on campus to take the quiz.
Keep It Small
Our IT security manager and I planned and executed the majority of the event. With a limited budget, we used existing tools and purchased a few supplies we could reuse next year. I designed the cards, we sourced materials as inexpensively as possible, and we used our existing campus survey solution to create the quiz. We spent the majority of money on prizes and our promotional piece to try and entice campus to participate. All in all, we spent $525.31.
Set Realistic Expectations
We didn't know what the response would be. We kept the phishing quiz short and made sure that the cards had helpful information so that even if people just read the card and ate the candy without participating in the quiz, they would still learn something. The contest was open to everyone on campus — except ITS staff. Around 230 members of our campus community took the phishing quiz, but we feel like we had a much larger impact. We received positive feedback on the quiz, the promotional pieces, and the entire campaign.
One staff member sent an e-mail stating, "Great job on putting together the phishing thing — it was done in a chill, easygoing way, but also very informative and helpful — I'm sure it was a lot of work to put together…thanks for going above and beyond to help educate us!"
Another staff member commented, "That was actually a pretty tricky quiz. Really good education tool, though. I liked it a lot."
What's Next?
Our IT security manager and I have already begun planning for this year's event. We took notes after last year's event and have been collecting data from our phishing assessment tool. Quiz questions will be customized to reinforce the types of phishing attempts that most frequently trip up our faculty and staff. We are reaching out to our athletics department and our campus bookstore to source additional prizes without having to expand our budget. And we're planning new in-person interactions to connect with our students and spread the word about this important topic.
Carla Herling is an IT communications manager at Drake University.
© 2017 Carla Herling. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.