Cybersecurity professionals at four higher education institutions discuss how the COVID-19 pandemic has impacted their security awareness programs.
The last two years have been unprecedented. As COVID-19 started to spread across the world in March 2020, higher education pivoted abruptly to an online model. Most faculty and staff started working remotely for what they thought would be a month or maybe six months at the most. They probably didn't expect that the pandemic would still be going on today.
As colleges and universities continue to navigate the shift to online learning, they "are fostering conversations on how they can leverage insights and positives into a more thoughtful plan going forward."Footnote1 Security awareness programs have also experienced transformative change, and security and privacy professionals are continuing to adjust on the fly. Ben Woelk, governance, awareness, and training manager at the Rochester Institute of Technology (RIT), asked colleagues at the University of Virginia (UVA), the University of California, Berkeley (UC Berkeley), and Duke University about the impact the pandemic has had on the cybersecurity and privacy programs at their institutions and how they are adapting their approaches and leveraging new opportunities for flexibility and collaboration.Footnote2
Ben Woelk: What did you find to be the biggest challenges and changes associated with the pandemic?
Kelly Haley: At UVA, we had been working on updating our in-person escape room. We were creating puzzles that included physical elements, such as locks, black lights, posters, and hidden objects. In March 2020, I took the entire trunk of materials home with me so we could still meet our June launch deadline. When we found out we wouldn't be going back, we switched gears and started looking at creating a virtual escape room experience. We formed some partnerships and launched the virtual escape room in October.
Casey Hennig: The UC Berkeley Information Security Office leveraged the changing workforce landscape to promote telecommuting best practices to our community. We created a "Cybersecurity and COVID-19" resource on our website with information ranging from new COVID-19 scams and secure Zoom settings to our minimum security standards. By putting all of our information in one area, we were able to easily promote and get important content in front of new eyes.
However, we quickly discovered that our existing outreach wasn't having the same impact as before, so we explored new ways of using existing channels while concurrently looking for new channels. We started to think about security awareness in the context of COVID-19. For example, many of the new phishing scams we saw were taking advantage of people's worries about the pandemic, so we capitalized on that attention and promoted solutions through our campus' COVID Response and Recovery newsletter.
Cara Bonnett: At Duke, we took a bit of a left turn. In the past, we had relied on in-person events and talks, but we had never done a whole lot with video or animation. After COVID-19 hit, we tried out a free animation software program called Powtoon. We started by creating a short video about ransomware risks for researchers since we knew they were big targets. The response was terrific, so we ended up using the software to construct our first annual security awareness training. We kept it short: three modules and less than ten minutes total. We rolled it out across the enterprise in a matter of months in collaboration with our colleagues on the health care side. It may be one of the fastest rollouts we've done.
Woelk: Kelly mentioned that UVA had a physical escape room. At the Rochester Institute of Technology, we also had a physical escape room that we had initially developed for our first-year students. We had started offering it to faculty and staff and had gained pretty good traction. COVID-19 forced us to reconsider our escape room experience. We had a very talented student employee who reconceptualized our physical escape room and converted it into a virtual escape room. It was up and running within two to three months.
What other things are you doing differently? Are there opportunities you've taken advantage of, new things you've been able to do—or maybe have been forced to do—or new ways that you're approaching something?
Hennig: One of the challenges that didn't exist before everyone moved to remote work was Zoombombing. Not only was it a high-profile, highly visible issue for our Berkeley community, but it also presented a challenge in terms of creating educational content out of the blue and on the fly and keeping it up to date. Being flexible was imperative. Before the pandemic, we had a really tight content calendar. That all went out the window when the pandemic started. Instead, our content became driven by the question, "What do we need to address right now?" We found strength in our ability to rally around and solve new challenges.
Bonnett: Before the pandemic, we'd worked hard to explain the connection between good security hygiene at home and at work; for example, why multi-factor authentication (MFA) and password managers are good to use for all of your accounts. Suddenly, we were talking to people in their homes. You could see them with their kids and their dogs, and it was clear that working from home meant looking at security best practices in a new way. Home and work became interconnected. We put together an on-the-fly Learn IT at Lunch session that featured my colleagues from the security team who had kids of different ages—elementary school and middle school—and asked them to discuss how they talk to their kids about protecting their information and what their recommendations are for wireless security at home. We got huge interest and attendance because everybody was in the same boat. And it looks like we will remain in a similar version of that boat for some time. That change really helped us get the message out about how security is a part of your everyday life—at work and at home.
Haley: Communicating with users was my biggest challenge. Our mass email policy changed to limit the amount of emails we were allowed to send. Getting the word out to users was so hard. I started putting messages at the bottom of my emails, like little advertisements: "Hey, come check us out at this website." Finding new, out-of-the-box ways to reach users became a huge priority. I took a few short marketing courses to get as much information as possible about how to grab users' attention. As I was sitting in my house trying to do my job, my five children (ages nine to sixteen) were left with their devices. I felt that others had to be experiencing the same thing, so I decided to shift my focus to keeping families cyber safe. I thought getting their attention with something that was directly affecting their day-to-day life might get them interested in other areas of cybersecurity.
Woelk: The Information Technology Services group at RIT includes about 135 people. We had been using Slack within the group for a while. As part of the pivot, we rolled out Slack campus-wide and Zoom to support teaching and learning. That allowed us to communicate with a good number of our colleagues that we were no longer able to see face-to-face.
I found that one of the things I really missed, although I identify as an introvert, was the ability to get together with people, whether one-to-one or in small groups. Because we weren't able to meet physically, I had to become very intentional about arranging for regular virtual contact with people.
I also found that it was important to chat with people from outside my institution. I enjoy these conversations, and I wanted to keep them going. I have at least monthly calls with each of you, for example, in part to maintain our relationship, but also to have someone to brainstorm with and discuss security awareness issues and new initiatives with. In our roles as security awareness practitioners, keeping abreast of what other institutions are doing is important. It can sometimes be easier for a new initiative to gain traction when I can say, "Well, Berkeley is doing this, Duke is doing this, University of Virginia is doing this," because then I have a little bit more cachet in terms of it not just being my idea.
What else have you found to be important when working remotely?
Bonnett: We're all thinking differently about everything. At Duke, we reevaluated our approach to swag. What do you mail and what do you hand out? Would there be more value to a cool Zoom background that people will probably see more often? That sort of creativity will need to continue because budgets will likely stay limited, and we may not be in front of large groups of people like we used to be. We're going to have to keep reinventing security awareness.
Hennig: I have found incredible value in the Higher Education Information Security Council (HEISC). The group provides a forum for identifying problems and sharing strategies or solutions. The UC campuses also meet biweekly to talk about ways to share resources across locations. For example, we partnered with a third-party vendor for Cybersecurity Awareness Month and rolled out a systemwide program, complete with content, events, and speakers, which helped all of the locations individually and made the program stronger as a whole.
Haley: Having peers to discuss ideas, trials, and tribulations, and get the ball rolling on ideas—even if I ended up going in the opposite direction—was the biggest thing for me because it gave me traction in an otherwise nebulous time.
Woelk: Connectivity is so important for boosting morale, maintaining relationships, and being innovative. Hearing what other groups are doing gives me ideas that I can build on, and I think that has helped me come up with new ideas and figure out how to do things during what has been a very challenging time. I encourage everyone to become intentional about making connections and to attend our Awareness and Training community group meetings.
Moving Beyond the Pandemic
The past two years indicate that security awareness programs will not return to what they looked like before the pandemic. Through disruption and uncertainty, security awareness professionals have found new and creative ways to deliver content and engage with their audiences. They also have built and fostered new virtual connections that support professional growth in their roles. Going forward, accelerated flexibility and collaboration can help programs expand and mature, creating a security-aware culture across higher education.
- Stephanie Moore, et al., "One Year Later . . . and Counting: Reflections on Emergency Remote Teaching and Online Learning," EDUCAUSE Review, November 10, 2021. Jump back to footnote 1 in the text.
- This article was inspired by Cara Bonnett, Kelly Haley, Casey Hennig, and Ben Woelk, "Adjusting on the Fly: Transforming Security Awareness during the Time of Covid," (panel discussion, Cybersecurity and Privacy Professionals Conference, online, June 8, 2021). Jump back to footnote 2 in the text.
Ben Woelk is the Governance, Awareness, and Training Manager at Rochester Institute of Technology.
Kelly Haley is an Information Security Education & Awareness Coordinator at the University of Virginia.
Casey Hennig is the Information Security Outreach and Engagement Coordinator at the University of California, Berkeley.
Cara Bonnett is the Technology Risk Assurance Manager at Duke University.
© 2022 Ben Woelk, Kelly Haley, Casey Hennig, and Cara Bonnett. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.