Every October, we join hundreds of other organizations in observing National Cybersecurity Awareness Month (NCSAM). This month, we focus on best practices for keeping personal and professional data safe from bad actors who seek to steal information or exploit systems. This year’s themes were:
- Week 1: Use strong passwords and a password manager
- Week 2: Turn on multifactor authentication (MFA)
- Week 3: Recognize and report phishing
- Week 4: Update software
These themes may look familiar, but they remain the best ways to keep your and Carleton’s data safe. Click the links above for blog posts with more information on these topics.
Training
While October is when we make our strongest push to complete required annual web-based cybersecurity training, this year, we published the training earlier than ever to allow faculty a wider window to complete it when convenient. We are just a few percentage points away from reaching our goal of 100% participation. We’d like to thank everyone who completed this early or on time. While we don’t have much choice in this, it is a firm requirement from campus leadership, our insurer, and federal regulations for all staff and faculty. This training remains one of our best measures to protect users against phishing and other cyber threats.
This year was the first time incoming students were required to complete the same cybersecurity awareness training as employees. Although the same regulatory drivers do not apply to students, recent events have demonstrated that they are not impervious to email-based scams. Four current or former students were scammed out of several hundred dollars each in two recent phishing incidents. In one case, the scammers made out with over two thousand dollars. Providing this training to students is simply a good idea. In this way, we are helping prepare our students for threats they will face now and as they move into their professions.
Phishing
We conducted two of our four annual phishing simulations in October, marking the first time all students were included in the exercises. While employee click-through and reporting rates beat industry benchmarks, the student metrics show we have some work to do to raise awareness of social engineering threats—and, importantly, how to report phishing. During the first phishing simulation, all student groups exceeded the target benchmarks for click-throughs. We’d like to see this rate below 10%; however, first-year students had a click-through rate of over 25%, and seniors had a click-through rate of 15%. The average click-through rate for all years was just over 20%. The reporting rate was very low, although this is not entirely unexpected. We have done virtually no education on how to report phishing properly.
Reporting phishing is one of the most effective ways to help protect others in the Carleton community from falling victim to email-based threats. When you report phishing, the Information Security team is notified, and we investigate and take appropriate actions. These actions may include deleting malicious messages from inboxes, checking for compromised credentials, and contacting those who may have interacted with the phishing message. To properly report phishing, select the menu icon in the Gmail message window (the three vertical dots), then select “Report phishing.” It is important to note that this differs from reporting a message as spam. While spam is a nuisance, it is not considered dangerous. The volume of spam reports makes it unreasonable to investigate everyone. It is also important to note that currently, the “Report phishing” feature is only available in the Gmail browser client.
Town Hall
During Cybersecurity Awareness Month, we always hold a town hall. At this year’s meeting, Kendall George, our Information Security Officer, and our new security analyst, Sophia Legare, reinforced this year’s themes. They also detailed phishing and other cyberattacks targeting our community, data, and systems. They also discussed the threats and opportunities posed by the emerging capabilities of AI, used by both attackers and defenders. Video below.
Cybersecurity is not solely the responsibility of security professionals; it requires a collective effort from everyone to create a safer and more secure online environment. Thank you for doing your part in protecting Carleton!