Letter from the CISO – Everyone is in InfoSec

Washington University Community:

I welcome you to this inaugural edition of our new Information Security Bulletin.

My primary goal for the bulletin is to empower every member of our community to do their part in protecting us from cybersecurity attacks.

A few years ago, the CISO for a health system was asked how many people he had on his Information Security Team, and he replied, “66,000. Everyone is part of our Team.”

I hereby welcome you to WashU’s InfoSec Team!

This first edition focuses on security awareness and the new training program we are initiating to onboard you as Team members. Our new program will ensure that you have the information you need to be a successful part of the Team.

I’ll start by emphasizing why we need everyone to be part of our Team. In short, cybercriminals and foreign governments are continuously attacking the University, looking for opportunities to disrupt our operations and steal our confidential information. Over the past few years, we’ve all seen news reports about universities, hospitals, schools, governments, and companies that fall victim to these attacks and suffer enormous costs.

WashU is fully in the cybercrime target zone. We see email phishing attacks against us every day, and over the past year, phishing attacks have been the starting point for over 90% of successful intrusions around the world. As a complement to daily phishing attempts, cybercriminals continuously scan our systems for weaknesses. On one recent day, we detected over 28,000 intruders attempting to scan our network for vulnerabilities.

Some people think that Information Security is a technology problem and that IT should “solve” it. Unfortunately, this is analogous to saying that car accidents are a motor vehicle problem for car companies to solve. Car companies and information security organizations do what they can to prevent incidents, but ultimately it is the automobile drivers and computer users who allow or cause most of the accidents.

In short, we truly need your help to prevent cybercrime.

In this issue of the Information Security Bulletin, you will find information about our new Security Awareness Program, which features:

  1. communications such as this new, monthly Information Security Bulletin and special alerts (which we’ve had for some time), 
  2. a new way to report suspected phishing messages using a Phish Alert Button (PAB) in Outlook (coming soon),
  3. simulated phishing attacks, and
  4. a variety of information security and privacy training modules.

We also include an overview of Social Engineering Red Flags, including a PDF file suitable for printing and posting on your wall as a reminder of how to avoid falling for a phishing and social engineering attacks, whether simulated or from the real world.

Thanks for your attention, and welcome to the Team!

-Chris Shull, CISO