Why do we run phishing awareness campaigns?
We are often asked why we run phishing campaigns where it appears that the aim is to "catch out" staff.
The purpose of phishing campaigns is to provide a learning opportunity. At the University of Reading we have a higher than average "click rate" meaning that more people follow links in unsolicited emails than at most other universities. This represents a huge risk to the University, all it takes is one person clicking the wrong link. Planned phishing campaigns are part of the University wide strategy to reduce this risk.
> To raise awareness
DTS run regular phishing campaigns to help staff spot phishing, to deliver targeted training (those that click on the link are taken to a website giving information on spotting phishing) and to determine the level of risk to the University. Running phishing campaigns is one way to raise awareness amongst staff. All staff do cyber security training when they start, and we also run training sessions after any incident.
> It is required by University's Cyber & Information Security Group
DTS report on these campaigns to the University’s Cyber & Information Security Group and that group agreed at the last meeting (held 5/12/22) that three phishing exercises should be undertaken every year.
> It is recommended by the National Cyber Security Centre (NCSC)
Phishing emails remain a common way to deliver ransomware onto devices inside an organisation. The National Cyber Security Centre’s Annual Review for 2022 (NCSC Annual Review 2022) includes the following statements:
“Phishing emails continue to be a successful attack vector for criminals. In many cases, these attacks are designed to mimic those online services that people use and often trust. In the last year, COVID-19 and the Russian invasion of Ukraine were prominent themes that criminals used to lure the public."
"As RDP (remote desktop) services decline as an initial access route, other ways in such as phishing and access through third parties is increasing as a proportion of all attacks.”
> Following incidents at other Universities
We recently held a disaster recovery exercise and had a guest speaker whose university was essentially offline for weeks following a ransomware incident where the malware came in through phishing. When asked what single thing they would do to help mitigate that risk, they replied that they would do more phishing campaigns.
Page updated by lm920207 on 09/01/23