Thursday March 23, 2017

Social Engineering vs. Social Engagement: Fighting Cyber-Crime with Cyber-Mindfulness

With "cyber-mindfulness" as the goal, this campus campaign helped employees become more savvy about online risks and caring for digital information.

The enormous impact of social engineering and user-focused exploits requires that organizations think differently about educating and involving people in protecting data. University of Dayton Information Technologies answered the challenge by developing a long-term awareness-building campaign to close the gap between technical solutions and the human factor.

In June 2015, University of Dayton Information Technologies (UDit) was tasked with deploying a technical solution to the problem of password security: 2-factor authentication (2FA). Aware of how quickly the landscape of IT security - and social engineering - is evolving, UDit opted to nest the deployment of 2FA within a larger context of the challenges of information security. While 2FA would require a new behavior for employees to learn (and a necessary inconvenience) it would greatly improve protection of UD resources. Even so, employees shouldn’t construe it as the final solution to information security. Preparing people for the change, helping them understand why 2FA was needed, and showing how they play a critical role in the security equation were large communication challenges. UDit needed to undertake a comprehensive communications initiative to transform the user community from risk factors to cyber-mindful partners in the future of university IT security practices.

The result? A yearlong security awareness campaign, “Safe Computing 2016,” engaging faculty and staff to build awareness, shape attitudes and reinforce effective behaviors regarding safe computing at the University of Dayton and at home.

A 2016 wall calendar announced the campaign in January and previewed the safe computing themes that would be addressed each month such as “Keep a Clean Machine,” “Guard Your Privacy at Home and Away,” and “2FA-Join the Movement.” Brown-bag presentations, information tables, and a free data destruction event provided in-person opportunities for employees to engage with UDit, learn skills, and ask questions.

At the center of UDit’s strategy was a twice-monthly e-newsletter with cyber security tips for work and home computing, phishing tricks to beware, current scams in the wild, a dose of humor and graphics, and regular requests for feedback (with rewards of branded swag like pens, mugs and cleaning cloths) to encourage ongoing engagement.

The newsletters were followed by monthly "phake phish” messages emailed to employees to exercise new cyber-awareness skills. After the phishing exercise, click-rates and an explanation of the red flags that should have been caught were shared with the community.

The campaign was designed to attract and hold the attention of a widely-diverse audience of over 3000 faculty and staff by “humanizing” complex IT topics with an accessible tone, actionable information, and a sense of humor. The strategy seems to have worked: “safe computing” and “cyber-mindfulness” have become part of the campus conversation at UD; interactions between employees and UDit significantly increased; and faculty and staff are more aware of the risks associated with phishing and other social engineering ploys and ways they can participate in protecting institutional and personal data.

Survey data collected early in the year compared with responses at the program’s conclusion indicated statistically significant movement towards this goal, including increased end-user knowledge and a sense of responsibility and shared ownership for protecting data and asking for help.

As hoped, participation in the awareness and training program increased faculty and staff’s overall “cyber-mindfulness,” preparing them to more confidently identify and respond to cyber threats. Moreover, feedback throughout the year indicated that safe computing communication was seen as useful, appreciated . . . and even enjoyable.

The campaign gathered such momentum that at the end of 2016 employees actually expressed desire for a continuation of the information, events and opportunities to increase their cyber savvy. UDit responded by creating a new theme and campaign for 2017, “Becoming Cyber-Mindful: For You. For UD.” Plans are also being made for a student-focused campaign to begin in the fall of 2017.

Related Links

Previous Post

Next Post

Suggested Links

Social Media