2022 Infosec Impact Award Winner — East Carolina University

Universities are home not just to students and faculty but also to all of the sensitive data that goes along with operating a major research institution. At East Carolina University, Chief Information Security Officer Mark Webster heads the team in charge of safeguarding this data. Mark leads a team spanning both traditional information security and cybersecurity operations. Their role is critical because ECU is the only university in North Carolina with a school of medicine, a school of dental medicine, and a college of engineering. Between the three schools, there’s a huge amount of sensitive research data that needs protecting!

Protecting sensitive data at North Carolina’s only medical school, engineering school  

A strong security awareness training program goes a long way when it comes to preventing cyberattacks at universities. The cornerstone of ECU’s training is Infosec IQ. Although ECU had been using Infosec IQ for some time, it wasn’t until newcomer Brian Hildreth joined the team that the program really took off. Brian expanded ECU’s cybersecurity training beyond the baseline to include quarterly simulated trainings. According to Mark, “Brian had actually worked with Infosec IQ with one of his former employers and gotten it off the ground then. So that was kind of a serendipitous thing where he was familiar with it and didn't have any kind of a learning curve there.” Fast forward to today, and all faculty and staff are required to go through the training. 

The team also uses Infosec resources to greatly enhance the content in their training library. Mark explains that they don’t have the time or resources to generate a lot of original content as a small team. But by enhancing their pre-existing training with Infosec modules, they can truly embellish their security awareness training program. Mark is pleased with the current completion rates, but with stakeholder buy-in, he thinks he can boost that number even higher.  

Personalized training for staff’s area of expertise  

For Mark and his team, training is a delicate balancing act. Training should provide staff with an opportunity to learn and retain vital information security skills, but it shouldn’t be an obstacle. That’s why Mark likes that Infosec trainings can be customized to a person’s role. “We tend to stick to the more serious ones,” like Just the Facts and Core Concepts, “but I think there’s a place for all of it because different people have different things that get their attention.”  

Modules tailored to HIPAA privacy and security, PCI, and FERPA meet the needs of this diverse research institution. Additionally, the team was able to integrate trainings into Cornerstone, ECU’s human resources platform, to make the modules easy to access, track, and measure.  

Mark and the ECU leadership team are particularly excited about offering mock tests for spearphishing and business email compromise. Phishing attacks are a top threat for many universities. ECU uses Infosec IQ to send out quarterly phishing tests — and the results are outstanding. So outstanding that they needed to up the ante. Mark takes advantage of the program’s capabiltiies to provide real-life simulations of spearphishing attacks. Names are pulled from the uploaded organizational chart and inserted into mock emails. This practice offers valuable insight and metrics into how prepared the school’s faculty are for the real deal.  

Making cybersecurity fun with campus outreach 

Protecting the university’s data requires the entire ECU community to work together. Mark’s team keeps learning opportunities both fun and informative via campus outreach. One example of this is their monthly email campaign. Each month, they send out a fun ITCS newsletter covering a new topic like cybersecurity awareness and malware. Mark works with the HR Training and Development Office to put Infosec content on ECU’s HR learning management system. These video modules empowering faculty and staff to stay cyber secure, building a culture of security, and better protect the university’s IT systems and data. Supervisors are encouraged to assign content to their employees, and they can track engagement. Mark says that it is one of the aspects of ECU’s cybersecurity awareness program with the most positive feedback.  

They’ve also featured content in the campus newspaper, the East Carolinian. The initiatives are popular and have even led to Mark being recognized around the community thanks to his picture appearing in the school paper. Regular newspaper articles and the monthly newsletter are great ways to raise information security awareness on campus and build a cybersecurity culture.  

Mark is already looking ahead to how he can bring ECU’s security awareness training to the next level. He plans to do a deep dive into the data collected from past modules to determine what’s tricking people and what they can learn from the platform. He’s also keeping track of what types of content staff like to engage with so they can provide more of it in the future and spicing it up with brand-new content.  

While the details are still under development, it’s certain that Mark and his team have an exciting year of cybersecurity learning opportunities planned for the ECU community!  

Infosec is thrilled to recognize East Carolina University as a winner of the Impact Award in the 2022 Infosec Inspire Security Awareness Awards.