Q: What is the Cyber Security Awareness Program? 
A: It is a series of on demand training, simulated phishing attacks and pre-created marketing material designed to promote situational awareness around cyber-attacks. 
 
Q: Why do we need a Cyber Security Awareness Program? 
A: To equip CVTC employees with tools and knowledge to be the first line of defense against cyber-attacks. 
 
Q: Is the training required?
A: Completing the annual and any follow up cyber security training is a requirement for all CVTC employees. 
 
Q: Is CVTC required to run an awareness program?
A: Yes, employee training and phishing simulation is required by both CVTC's Cyber Liability insurer and the Gramm-Leach-Bliley Act. 
 
Q: How often is training assigned to employees?
A: A training campaign is assigned once a year, follow up training may be assigned based on phishing simulation results. 
 
Q: How long does an employee have to complete the training?
A: The standard annual training must be completed within 4 months after the employee is enrolled in it.
 
Q: Why do some employees receive two annual training courses in one year?
A: The campaigns re-start on the same calendar date every year. In the first year of employment everyone will see two training courses in less than 365 days. How close those are is based on employment start date. 
 
Q: If I have proof of completing another cyber security training program, can I be exempt from CVTC's?
A: Training modules within the campaign are selected to complement CVTC's information security program. To ensure our employees have the right baseline tools only CVTC sponsored training is approved.
 
Q: Why are email phishing simulations part of the program?
A: Email remains the number one attack threat. Simulation, like having a fire or tornado drill, helps create situational awareness that significantly reduces the risk of an incident. 
 
Q: Does CVTC have technology to prevent email attacks?
A: Yes. Our email security technology filters roughly 1/3rd of the tens of thousands of daily emails before they hit your inbox. However, threat actors are always trying to find ways to bypass filters. A percentage of the time they will succeed. 

Q: Are the results of phishing simulations recorded? if so, Why?
A: Positive and negative results are recorded to assess risk and the effectiveness of the Cyber Security Awareness Program.
 
Q: Who can view detailed results? Are they ever shared with anyone?
A: Results are considered highly sensitive. Only the owner of the application and information security officer can view them. In exceptional circumstances, data may be shared with executive leadership involved in cyber risk management. 
 
Q: How are simulated phishing email messages created?
A: They are created automatically based on vendor templates using artificial intelligence within defined parameters to randomize delivery. CVTC employees do not author content or have influence over time of delivery or recipient.

Q: Do IT employees receive simulated attacks?
A: IT staff are enrolled in campaigns of the highest difficulty. No college employee is exempt from or has advanced knowledge of the simulations.

Q: A message came through pretending that it was from my department. Can I be made aware of these in advance to prepare?
A: The campaigns are automated, and no one is aware of the recipients or delivery schedule. However, the administrative overhead placed on a department is considered when adjusting frequency and difficulty. 
 
Q: Does the simulation have access to any CVTC data or systems?
A: Our phishing simulation vendor cannot integrate with CVTC systems beyond basic directory information such as email address, first/last name, and supervisor. It has no access to things such as email communications or meeting data. 

Q: What if I have a suspicious email that does have specific targeted data?
A: Then it is most likely not a simulation. 

Q: How often are simulations conducted?
A: Every employee will receive one simulated message a month by default. The campaigns are adaptative based on failures leading to a maximum of three.
 
Q: What if I received five this month?
A: If that is true then some of them were actual phishing attacks. Not everything is a simulation. 
 
Q: I failed a simulation, but I never clicked on anything in the email. 
A: If you believe that to be the case, please contact the service desk and IT will investigate the matter. 
 
Q: I failed a few simulations and am now hesitant to open any email. What should I do?
A: Every simulation uses one or more tactics covered in the training. Training can be reviewed any time after completion for a refresher. Applying what is learned during the training should let you open every email message confidently. 
 
Q: I received a simulated message that contained questionable or unprofessional language. What do I do?
A: Our vendor does not offer templates that would be inappropriate for the workplace. You most likely are interacting with a real phishing attack. Please use the Phish Alert button to remove and report it.

 Q: I have additional questions not covered by this FAQ
A: Please submit a service desk ticket and it will be routed to the appropriate IT staff member who can answer your questions.

Related Articles

Cyber Security Home