University end users are pretty good at identifying a scam.
Only 10 percent of simulated phishing emails sent to users at education institutions were successful, a new study from Wombat Security Technologies reports. The company monitored tens of millions of simulated phishing attacks sent over the course of a year through its Security Education Platform across more than 15 industries.
The State of the Phish 2018 report found that users in education were less likely to click on a phishing attempt than those in technology, entertainment, hospitality, government, consumer goods, retail and telecommunications. Several industries, including transportation, energy and finance, fared better than education, proving that higher education institutions still have work to do.
Organizations as a whole are getting better at managing the risks of phishing, with 76 percent of survey respondents reporting that they are measuring their organization’s susceptibility to phishing, up 10 percent from last year. And 95 percent of respondents indicate they are training end users on how to identify and avoid phishing attacks.
Joanna Grama, EDUCAUSE’s director of cybersecurity and IT governance, risk and compliance, tells EdTech that more universities are making cybersecurity training a requirement for all faculty and staff. Some universities are making these training sessions a requirement for students as well.
“Institutions that are doing really well in the information security sphere understand that everybody at the institution has a role and that everybody needs to be empowered to do that role properly,” says Grama in the article.
How Universities Educate Users on Phishing
As phishing attacks have become more targeted, universities have had to up their game in providing awareness to faculty, staff and students.
Most universities have a number of phishing awareness resources on their websites, including breakdowns of how to spot a phishing email. Some universities, such as the University of Pittsburgh, have even established special inboxes where students and staff can report suspicious messages to the IT team. But, some schools have gotten even more creative with training.
At the University of Colorado, a phishing simulation program was developed to help campus end users learn to identify suspicious emails. To conduct the simulation, Office of Information Security staff send out a fake phishing email to employees and students to see if they are baited.
“If a user takes action on a simulated phishing email, they will be directed to educational materials or video,” reads CU’s website about the program. “The goal of the simulation process is educational and not punitive.”
Using the confidential data collected during the simulation, CU IT can then inform new awareness and training programs for different departments and schools on campus.
Although many universities are investing in security solutions that help filter out these suspicious messages, Cidon says there really is no substitute for educating users on the potential dangers.
“When we look at what to do to tackle these problems, we look at two areas: the machine and the human aspect,” says Cidon in the EdTech article. “The machines should always be running, they don’t sleep. On the human side, it’s not a bad idea to provide specialized training during the beginning of the school year.”