Thursday, October 31, 2013

Frontline Employees: Stop Being Polite and Start Getting Suspicious

Back in the late 90’s, I began a career path in college administration. I started slow, worked my way around a few schools, and tried out lots of positions: lowly student intern, undergrad admissions officer, International student admissions coordinator, marketing and creative officer. At one school, I even took over admissions for a while.

And I loved it, most of the time. There is something exciting about growing a department from the inside; creating policies and procedures that improve life for everyone, helping young people realize their dreams. I worked at some outstanding institutions.

But every institution I attended, visited, or worked for struggled with a common issue: low-level security awareness among frontline employees.

phishing, training, sight training, spearphishing, security awarenessIt’s not surprising, really. In my experience, many of the paper-pushing and phone-answering positions are filled by moms and grandmas with little more than basic data entry skills, or people who’ve remained in positions so long that they remember when everything was still done on paper…with a typewriter.

These are not tech-savvy young folks who know their way around a phishing email—and this is not a group that has traditionally adapted to technology very well.

And so, when I read that 3200 folks were impacted by a phishing email at St Louis University, it came as no terrible surprise. And the number of phishing and other social engineering attacks are on the rise. According to a recent Kaspersky Lab report, phishing scams have seen an 87% spike in the last year alone.

It isn’t that colleges and universities don’t care. Most schools care very much about educating everyone…on issues that require compliance. I took boring online HIPAA and FERPA training until my eyes bled. But folks really need comprehensive training on how to protect sensitive information—both their own and that which is in the student files they access.

I’m talking basics here. They need a whole new vocabulary: phishing, pretexting, proximity attacks, social engineering.

They need to learn to keep sensitive information from languishing on fax and copy machines and stop strangers from wandering in and out of offices where they can grab papers out of overflowing shred bins.

They need to stop thinking the best of everyone and start reporting suspicious phone calls. Every. Single. Time.

And for goodness sake, they need to stop clicking all the links (in email, on Facebook, and everywhere)!

It’s time frontline college and university employees are trained to stop being polite and start getting real.

More About Security Awareness