The W&L Security Awareness Program, administered through ITS under the direction of the Chief Information Security Officer, was developed in response to the university’s need to protect against the real and growing threat of cybercrime seen throughout businesses and educational organizations worldwide. Cybersecurity resilience has become a top priority with 62% of institutions saying security incidents have significantly impacted operations within the past two years.
Why is Security Awareness Needed at W&L?
Simply stated, our community is under constant attack. In most cases, the attacks involve a wide variety of ever-changing phishing schemes delivered through emails designed to trick W&L students, faculty and staff into revealing their credentials or other sensitive information. Through filtering software, firewalls and automated methods, ITS is able to block most, but not all of the incoming attacks. At any given period of time, a W&L student or employee is faced with an important decision that could either result in successfully reporting a phishing email or a critical misstep that contributes to a compromised account, theft, or a more serious ransomware incident bringing university operations to a halt.
Whether through stolen funds or post-incident mitigation efforts, the university experiences a measurable loss of revenue associated with cyber-attacks each and every month.
ITS has implemented a variety of strategies over the past few years designed to enhance network security. Fortunately, tools like Duo multi-factor authentication, single sign-on access through Okta, and Advanced Threat Protection (ATP) from Microsoft have resulted in a considerable reduction of compromised accounts for individuals. While technologies like these are a crucial component to network protection, they fall short in preventing individual mistakes and errors.
Averting Security Incidents Through Awareness
So what’s the solution? Guidance from outside industry experts as well as years of accumulated knowledge and experience at W&L have led us to conclude that enhanced “awareness” is a crucial component in defending the university from ongoing network attacks.
Why awareness? People continue to be the primary attack vector for cyber criminals around the world. Human accidents, missteps, and errors, rather than technology, now represent the greatest risk to organizations. Security awareness programs are key to managing this risk.
According to the SANS 2023 Security Awareness Report, “the number one top risk identified is social engineering attacks, or what we call the *ishings – Phishing (email-based attacks), Vishing (phone-based attacks), and Smishing (messaging-based attacks). In addition, “…it was perceived as much more of a risk, even compared to all other human risks combined, including passwords. Regardless of the cyber attacker identity, skill level, resources, or motivation, social engineering is the simplest and most effective way for most cyber attackers to gain a foothold into any organization.”
How Does W&L Address Security Awareness Training?
W&L subscribes to KnowBe4, the world’s largest integrated platform of security awareness content and tools. A custom solution has been designed within the KnowBe4 framework that allows the ITS team to manage security awareness and training through monthly simulated phishing tests, an integrated Phish Alert Button (PAB) and individualized follow up and remediation when prescribed.
What is the Impact on Students and Employees?
The W&L Security Awareness Program is designed to improve the understanding, recognition, and detection of phishing messages by students and employees while practically eliminating the need for time-consuming formal training.
1. ITS provides all students and employees with a Phish Alert Button.
The Phish Alert Button (PAB) is included in all Outlook Web and Outlook Desktop applications. Students and employees are asked to click the PAB whenever a suspicious email message is received. Those who do not use Outlook will not see the PAB on their device. In that case, users are asked to forward any/all suspicious emails as an attachment to phish@wlu.edu.
2. A simulated phishing email is sent once each month to all students and employees.
Students and employees are asked to click the Phish Alert Button (PAB) to report any/all phish emails received (both simulated and actual threats). When you correctly report a simulated phish, you will see a congratulatory pop-up notice. If you accidentally click a link in a simulated phish, a page will follow with helpful details about what made that specific email suspicious. The KnowBe4 system will automatically assign one additional simulated phish in the same month to those users who accidentally click a simulated phish. Those who delete, ignore, or otherwise avoid a simulated phish will not see additional feedback and will not be assigned additional simulated phishing emails for that month.
3. All new students and employees will complete security training.
Security training will be provided to all new students and new hires during the onboarding process. The training will consist of an online interactive module focused on safe computing concepts using the KnowBe4 platform.
