Why cyber security awareness is crucial for on-going protection and prevention against cyber attacks

Q&A with North-West University’s Barend Pretorius

What is your role at the University?

I’m a Senior Business Analyst within the division AOS (Application and Office Support) My duties vary from institutional software license management to system implantation and project management.

How many staff and students are at the University?

Currently the NWU has +- 5000 staff members and +- 85 000 Students (Students are spread over three campus and are comprised of full time, part time and distance both for undergraduate and post graduate studies.

Has the University been victim to cyber attacks?

Yes, the NWU regularly comes under attack from different entities either phishing our users with fake sites for information or direct attacks in the forms of malware and ransomware. Staff have downloaded attachments, which appeared to be legitimate, but were actually malware attacks.

What has the impact been to these attacks?

  • Large scale virus infestations on end user devices causing loss of data
  • IT operations unable to operation affecting productivity and the user experience
  • Increased strain on our IT department in regards to supporting and fixing these disruptions
  • Overall concern about the Universities reputation across South Africa

Why did the University select KHIPU’s simulated phishing and cyber security awareness training service?

  • Users are the biggest single failure point for any institution but can also be your biggest defence against these kinds of attacks. Education is critical for cyber defence as users need to be made aware of the kinds of threats and what impact they could have on them as individuals and on the institution.
  • We chose KHIPU’s service to understand our risk to phishing attacks so the right level of awareness and training can be applied. They were the only cyber security within South Africa, who had experience in carrying out these services in large University environments.

What did the service offer the University

  • It offered us as an institution, simulated phishing attacks so we could target our users to understand the University’s risk to these types of attacks.
  • Extensive risk reports were provided detailing the impact and reach of these simulated phishing campaigns, enabling us to identify our vulnerabilities and weaknesses, so we can implement the right security controls and training to help protect and prevent real-life attacks.
  • Onsite cyber security training was carried out across all of our campuses to both students and staff (over 30,000 people), supported by on-line awareness services – as educating our users is the only way to truly fight these forms of phishing attacks regularly hitting our institution.

How has the University benefitted from the service?

  • This service has provided us with great insight into our user base and their vulnerability points. We now have a better understanding of how people react to phishing and from what devices they are more susceptible to these attacks.
  • We implement regular simulated phishing services to help drive awareness coupled with extensive training programs
  • By knowing our risks and vulnerabilities, we can help reduce our risk of being breached.

What are the next stages?

We have completed four phishing campaigns thus far and two rounds of user education. Our future plans are two run two more targeted campaigns over the next twelve months and continuously encourage our staff and students to take part in the education program.

Would you recommend the service to other education institutions within South Africa?

We, as an institution, would encourage the education sector to run simulated phishing campaigns supported by regular cyber security training, to help promote awareness of cyber threats. Cyber security impacts on all of us regardless of how big or small an institution is. Continuous education of our staff and students will aid in combating these attacks and the threats they bring to both our work and personal life. In the long run, our students will be more empowered and aware of cyber threats in their professional careers once they leave the institution.