The WashU Office of Information Security (OIS) takes a holistic approach to security training and awareness. Our goal goes way beyond raising awareness through a required annual training. The Awareness, Behavior, and Culture (ABC) team aims to foster a resilient and adaptable security culture so WashU Community members know what to look out for, how to respond when a potential threat appears, and how to implement generalizable security best practices wherever possible.
We take this approach because the cyber threat landscape is constantly changing, and our defensive strategies must keep pace. Annual training just can’t do that. Further, the memory of an annual training seems to fade almost as quickly as it is completed. It’s a hoop to jump through rather than a source of practical knowledge that can be applied at work, incorporated into your personal life, or passed on to those you want to protect.
Phishing and social engineering attacks can come at you from any direction, whether at work or home. Often, they’re aimed at getting to your personal data and resources, and sometimes, the point is to obtain your WashU credentials so criminals can infiltrate our system. Sometimes, these attempts impersonate WashU Community members, even if they land on your personal cell phone or in your personal email account. Cybercriminals don’t care about any boundaries we maintain between our work and personal lives. They’re hoping that our training and awareness program is a low-impact annual institutional compliance checkbox, that it hasn’t sunk in, and that you haven’t thought about applying your security training beyond the university. They’re going to be disappointed.
The multifaceted security ABC program is designed to address cyber threats impacting our community. Everything we do considers how to best meet the security needs of our community.
- The topics we write about in the monthly newsletter originate from questions we receive, events impacting WashU Community members, or possible threats that might target our institution and our people.
- Our website is full of articles and conversational guidance on a huge variety of security topics that are useful in your work at WashU and your life in general.
- We engage the WashU Community in frequent phishing simulations so that you can safely practice identifying scams. These simulations are copies of actual phishing messages circulating out there in the world or even within WashU. We’ve heard from many people that catching the simulated phishing attempts is fun, and the WashU phish report score is getting better and better.
- Rather than subjecting our audience to annual training, we’re running short (often around five minutes), memorable monthly trainings. This allows us to provide information on many different topics in bite-sized chunks. The monthly assignment also enables us to adapt the training to the immediate needs of our community. This aspect of the program is currently in a pilot phase. We’re rolling it out to the entire WashU Community one step at a time.
Between this newsletter edition and the launch of National Cybersecurity Awareness Month 2024, we’ll take a closer look at each of these aspects of the information security Awareness, Behavior, and Culture program—why we do it, how it’s going, and plans for the future. We hope that you’ll agree with our approach and offer your ideas and suggestions along the way.