Gerry Bayne: Everyone loves a good story. And, when it comes to IT security awareness, stories with a happy ending are even better. We talk with some of today's top information security leaders to hear some of their success stories. David Sherry is chief information security officer at Princeton University.
David Sherry: Both my time at Princeton and before at my previous school, Brown University, we rolled out something called the Phish Bowl. The premise is to have a website where the university population can check into to see if a message they've received is a possible phishing attack. They have a suspicion, they check the Phish Bowl. If it's there, great. They delete it. If not, they can send it to the Phish Bowl. It's triaged by the staff, the information security staff and we get it up so they can help other people. Since its inception at Princeton, we've seen a drop in a number of compromised accounts. We've seen a huge drop in the amount of calls to the help desk, a huge amount of emails sent to the security team. It's been checked thousands of times. It's had hundreds of submissions into it. We went live and it's been tremendously accepted.
Gerry Bayne: Raising awareness of IT security issues on campus, particularly phishing, doesn't have to be a dull experience. In fact, some of the best ways to make a point involve a little fun. Ben Woelk, Information Security Program manager at Rochester Institute of Technology explains ...
Ben Woelk: Several years ago, we had too high level of victimization on phishing and text. Now when you look at it in the context of probably 30 to 60,000 accounts and you have 25 or 30 people compromised, that's a tiny, tiny number but it's not a comfortable number because it can still have an impact. We have students that work for us in our office and we rented a fish costume, and we did a one week long campaign on campus about phishing with our poor students dressed up in a fish costume wandering all through campus, stopping at every office with a card that we handed out which basically said, "Don't give up your password by email if somebody asked for it." The fish was the typical mascot which didn't talk. We toured campus with the fish. We got the student Reporter Magazine interviewed us and published information about it. People would see us walking and come running up. It was a lot of fun. I think at least for a good six month period we saw the amount of victimization from phishing drop significantly. It was a lot of fun. It was doing something different.
Gerry Bayne: Check out more tips on how to make security awareness a success at your institution at www.educause.edu/securityawareness.