Washington University’s (WashU) Office of Information Security (OIS) is proud to announce our new partnership with KnowBe4 in our ongoing commitment to information security training and awareness. In the coming weeks and months, our office will begin to deploy KnowBe4 training tools across our campuses. These tools will empower our office to assess the strength of our existing information security culture, identify areas for improvement, and prepare every member of our community to safely navigate the rapidly evolving information security landscape. 

What is KnowBe4? 

KnowBe4 is the world’s first and largest security-awareness training and simulated phishing platform. More than 35,000 organizations around the world use KnowBe4 to raise awareness of threats to information security and train users to protect themselves and their institutions from those threats. KnowBe4 is highly reputable. In 2019 and 2020, the platform was named “Security Awareness Training Platform of the Year” by CyberSecurity Breakthrough (Tarantino 2020), “Education and Training Provider of the Year” by Network Computing (Tarantino 2020), and the winner of the Cyber Defense Magazine “Cyber Defense InfoSec Award” (Tarantino 2020). The list of accolades for KnowBe4 is long. This is a tried-and-true training method used by thousands of institutions. In fact, some of WashU’s closest partners have been using KnowBe4 for several years. We are happy to join in the effort and offer this award-winning program to our campuses. 

Why do we need more information security training and awareness? 

The strength of our institutional information security relies on the knowledge and actions of individual users. One successful breach can create more extensive vulnerabilities. Cybercriminals use common techniques (e.g., phishing and social engineering) to surreptitiously capture login credentials and personal information that can be used to impersonate leadership and other personnel, potentially allowing these bad actors to access troves of intellectual property and personal information of our faculty, staff, students, and patients. 

The stakes are high. Not only do these criminals threaten privacy and intellectual property, but these breaches are also costly to the institution, redirecting valuable resources to mitigating the impact of a breach. According to a recent report by IBM and the Ponemon Institute, the global average cost of a data breach in 2020 was $3.86 million. Because of the complex and varied regulatory environment in the United States, the average cost of a breach among U.S. organizations was even higher at $8.19 million per breach. The threat is real, serious, and ever-changing. Just this year, a breach of the file-sharing application, Accellion, affected dozens of academic, governmental, and private-sector organizations. According to the technology news outlet, Bleeping Computer, the “Clop ransomware group” demanded $10 million in bitcoin from affected organizations, or they would publish stolen data. In March 2021, the Clop group began publishing screenshots of stolen files from the Accellion breach. These data included medical records, demographic reports, social security numbers, grades, email addresses, and phone numbers. 

Fortunately, we are not defenseless in this treacherous security landscape. Our office continuously monitors and responds to these evolving threats, and our entire community of users forms a “human firewall” against cybercrime. Cybercriminals target individuals as entry points to the entire institution. Through training and awareness, each of us can better identify and report these threats, thereby protecting our institution from breaches. Our users are the most important component of our shared security strategy. We are here to help you protect yourself, your colleagues, your students, your patients, and our institution.   

How does KnowBe4 work? 

KnowBe4 offers brief, often entertaining, training modules to users. In addition, KnowBe4 provides our office with the analytical tools we need to understand our existing security culture and to tailor our training and awareness communications to your needs. 

To better understand our existing security culture, we will use KnowBe4 to deploy phishing simulations on our campus. These simulations feature all of the typical hallmarks of a criminal phish—poor grammar, unknown e-mail sender addresses, spoofed institutional branding, and urgent requests. If you see such a suspicious e-mail appear in your inbox, all you need to do is click the “Phish Alert Button” at the top of the e-mail. Some of the reported e-mails will be simulations from our office, helping you identify threats in a low-stakes scenario and letting us know that you are aware of the hallmarks of phishing. Some of the reported e-mails will likely be actual phishing attempts, and our office will investigate the threat and take steps to prevent it from spreading. Whether the phish is real or simulated, your simple “Phish Alert Button” click will help our office by identifying real threats as well as ways we can improve our training and awareness strategy.

Phish Alert Button (PAB): How to Report Phishing on Campus

About the Quarantine Folder

You might have noticed a new folder named “Quarantine” in your Outlook or Office 365 email. This folder contains email messages that are almost certainly malicious but are still undergoing review by our team. You may be in the habit of occasionally checking your Spam folder for legitimate emails that have been incorrectly identified as Spam. The Quarantine folder is different. The messages contained in the Quarantine folder possess hallmarks of malicious emails and will likely be purged from our system after review. There is virtually no reason for you to check your Quarantine folder, so go ahead and preemptively cross that task off your list! If you have questions about the Quarantine folder or its contents, please reach out to our office at infosec@wustl.edu.

What will OIS do with KnowBe4 results? 

Our office will use data from reported phishing e-mails to identify real threats and eliminate them from our system. We will use data from phishing simulations to understand the efficacy of our security awareness strategy and develop targeted trainings and communications to strengthen our “human firewall.” We will regularly report on what we learn in our new monthly Information Security newsletter. Rest assured that when we report on these findings, we will only report aggregated data and will always protect the privacy of our users.  

Next steps for users 

Please be aware that the “Phish Alert Button” button is the preferred phish reporting method, and, as always, please be on the lookout for suspicious emails. When you see a “phishy” email, simply report it using the button. Whether it is real or simulated, your participation will help us keep WashU secure. If you have any comments, suggestions, or questions for our office, please reach us at infosec@wustl.edu.