State of Oregon Phishing Awareness Program Implementation Overview
The State of Oregon has launched a comprehensive Phishing Awareness Program to educate and protect employees against phishing attacks. The program includes phishing simulations, security culture surveys, and clear steps for handling suspicious emails. Various phases have been implemented to ensure all executive branch employees receive ongoing training. Employee engagement is encouraged through non-punitive measures, and results are tracked to identify trends and risk levels within the organization.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
State of Oregon Phishing Awareness Program
What is a phishing awareness program?
Why have a phishing awareness program?
Implementation Plan (Q3 2019): Pilot program for ESO only began in July. In August and September OSCIO employees received the monthly phishing simulation emails for additional testing purposes. Phase 1 (Q4 2019): All DAS employees began receiving the monthly phishing simulation emails for testing purposes. Phase 2 (Q1 2020): Agencies as determined began receiving the monthly phishing simulation emails. Email delivery is staggered across each month, ongoing for all agency staff. Phase 3 (Q2+ 2020): Subsequent phases mimic previous phases until all executive branch employees receive monthly phishing emails on an ongoing basis. Phase 4
Strategy What to expect What to expect Every staff at all levels of the organization will receive one phishing simulation email in each calendar month. Every staff will receive a security culture survey 90 days after implementation and annually after that. When you receive a phishing email (real or simulated), follow the steps below: Don t respond to the email or click any links. Follow your agency s current process for reporting suspicious emails. Delete the email It s that easy!
Phishing Templates Phishing Simulation Email Traits May or may not have business relevance Slightly above what is considered SPAM Used for monthly testing All new and existing employees Complexity will vary Email delivery is staggered across each month, ongoing for all agency staff.
Why report phishing attempts?
Employee Engagement Non punitive Immediate and automatic feedback Additional engagement with the employee after the 4th response. i.e. Repeat responder program
Results Unique Clicks on URLs Opened Attachments Data Entry Repeat Responders Emails Reported Trends Most Risky Groups Least Risky Groups