Canadian universities welcome approximately 1.4 million full-time and part-time students, as well as more than 47,000 employees every year, according to Universities Canada. Each of these universities stores lots of sensitive data on their IT systems, including personally identifiable data about individuals and information about proprietary research, finances, physical security operations, and more.
In addition, there are hundreds of opportunities for open information sharing – from sending emails to submitting reports. This has led to higher education providers being one of the key targets for cyberattacks such as phishing emails, according to the Microsoft Digital Defense Report 2023.
Therefore, IT teams at universities have made security awareness training for both staff and students an urgent priority in recent years.
“Students are practically born with technology in their hands, but they don’t have the information about security,” says the chief information security officer (CISO) of a major Canadian university that chose Fortra’s Terranova Security to help it secure its digital ecosystem.
While working with Fortra, the university was home to 40,000 students and nearly 7,000 faculty members and staff with many courses taught and presented in two different languages. University members were frequently receiving phishing emails that bypassed standard cybersecurity barriers, revealing a critical need to educate the entire university community on the growing threat of cyberattacks.
At the time, cybersecurity training was not mandatory on campus. In some cases, people were reluctant to participate in simulation exercises, due to fear of repercussions if they failed a phishing email simulation. As a result, entire campus departments would reject simulation testing because they found it too realistic and believed it could negatively affect their daily communications. However, says the CISO, “We have to give people the right to make a mistake.”
To overcome this challenge, the university’s CISO, the IT team and other stakeholders implemented a complete Fortra solution that included multiple end-user training courses to change unsafe online behaviours, training campaign monitoring and performance measurement with in-depth reporting and a customisable phishing assessment. They first deployed and presented modules from Fortra’s course library to the university in a series of campaigns. The university selected 12 modules for its diverse audience, based on customisation features crucial to the success of the training programme. Security team leaders focused on deploying training courses that aligned best with the existing culture.
“Until last year we were focusing on personnel. Now we are targeting the whole community, including the students,” says the CISO.
The goal was to record strong participation in a security training campaign rolled out to staff and faculty first. The training was presented in a safe environment, leveraging module content that all generations could connect with. As a result, participants freely engaged with the training courses without concerns about negative consequences. The university also leverages Fortra’s Awareness Platform, which allowed programme administrators to manage their campaigns and course deployments with near real-time reporting on course completion metrics. It customised assessment difficulty levels to adapt the wide variety of knowledge bases and aptitudes.
After deploying the training programme, the university observed a five per cent increase in the participation rate among staff. Following the university’s student training campaign, the CISO reported reaching 17,000 of the estimated 40,000 students total, marking a participation rate of more than 42 per cent.
Having benefitted from Fortra’s training, learning management and assessment solution, the university CISO intends to continue collaborating with the company’s cybersecurity experts. By working together, both parties can further optimise the training solution based on key metrics and campaign results.
This article was originally published in the Winter 2023 issue of Technology Record. To get future issues delivered directly to your inbox, sign up for a free subscription.