New York State Policy on Security Training for employees:

New York State Policy on Information-Security NYS-P03-002 updated 2017-03-10 states:

“The State Entity (SUNY) workforce must receive general security awareness training, to
include recognizing and reporting insider threats, within 30 days of hire. Additional training on State Entity specific security procedures, if required, must be completed before access is provided to specific SE sensitive information not covered in the general security training.

All security training must be reinforced at least annually and must be tracked by the State Entity.”

Purchase College Procedure:

Purchase College meets the NYS and SUNY requirement stated above in a variety of ways. On an individual basis, security and FERPA training is conducted before access is provided to Banner, our Websites, Admissions, financial and other systems.

All employees are automatically enrolled in the KnowB4 training campaigns for security awareness. KnowB4 is widely used in SUNY and tracks individual progress through the interactive training modules contained into the system or created by the College. Purchase college conducts two rounds of Security Awareness Training per year at the start of the spring and fall semesters. KnowB4 reports are provided to campus executives for follow up.

Why do we have this policy and require regular training?

We all receive phishing messages touting a way to make easy money - and asking people to respond with their private email address or phone.

While these are usually fairly obvious ruses, some folks inevitably engage the culprit in communication before we can block the phisher’s address.

There is also constant stream of fairly obvious fake messages from employee’s supervisors asking for a favor - or for cell phone numbers. Unfortunately people continue to fall for those too - after all, we’re conditioned to want to keep our boss happy. There is a way to make them happy - don’t fall for social engineering tricks!

It is more than email and text. There have been elaborate social engineering scams run here on campus that involved email, phone calls - and physically walking into offices on campus. Social engineering works best when we allow ourselves to be rushed without paying careful attention.

What can you do to prepare yourself so that you’re not next?

Don’t let yourself get rushed into completing even what seem like routine tasks. Pause and ask yourself if there’s anything unusual about a hurried request - and trust your instincts.
Remind yourself that nothing good is easy, and nothing good is free - and if something sounds too good to be true, it probably is.

Complete the Training: The online training does a good job covering examples of the types of social engineering scams we are seeing regularly.

If you have not already completed your mandatory training, please visit the training dashboard to begin. This training can be completed from the office or from home - at any time.

The link to the training also appears in the “Quick Links” section of the Faculty/Staff Portal page. Protect yourself – complete the training - and think twice before you click. You and your supervisor will start getting reminders after the due date if you have not completed the training. New York State and SUNY require all employees to complete annual Security Awareness training.

Do it for me, do it for your supervisor - or do it just so that you’re not next. Please - take the training and learn to protect yourself, and all of us, from this tidal wave of scams.