Everyone e-mune: how KU Leuven is managing to develop a successful security awareness programme

by
Davina Luyten

Communications Officer @ Belnet

In an academic environment, where innovation and openness are central, the risks from cyber threats are particularly high. Belgium's largest university, KU Leuven, has been proactively raising awareness and training its more than 15,000 staff members for years. With success, as the e-mune programme has become a strong brand at the university. GÉANT was curious about its approach and visited Sofie Pieraerd, a member of the management team for ICTS – KU Leuven's central IT department – and Karel Titeca, responsible for communications within ICTS.

  • How did the security awareness programme at KU Leuven originate and evolve? 
    • "In 2008, we started with a few separate informative pages on our website. This was how we achieved several quick wins in a short period of time. Six years later, we worked with an advertising agency to develop a logo and baseline: e-mune was born! The name and slogan 'KU Leuven takes care of your online health' emphasise our intention to take information security seriously and integrate it into our culture. 
    • We occasionally use e-mune as a hook for sharing some more technical information on, but it remains primarily an awareness programme with comprehensible and relevant communications for end users." 
  • What target groups do you want to reach with your awareness programme?
    • "We target three main audiences: staff members, students and IT administrators. Each target group requires a specific approach. 
    • KU Leuven has several hundred IT administrators spread across the various faculties. They face specific security risks – for example, research infrastructure connected to a PC on which certain updates are no longer possible. Often, those administrators do not have the resources to train their (end) users. We support them in this with technical solutions and by communicating around best practices. Security should be something obvious, and not an afterthought."

Playful approach pays off

  • Through what channels are you trying to get staff and academics to buy into the story?
    • "The e-mune website is the central communication channel. Employees will find a wealth of information there, ranging from phishing to the safe use of social media. Fairly recently, we posted our 'knowledge clips' on there: some 20 short videos around specific topics with manageable information that they can watch at their own pace. We regularly send out e-mune 'flashes' too – short newsletters in which we also respond to current events. 
    • We also recently rolled out an online training platform for the entire university, which we use to send out simulated phishing e-mails at regular intervals.
    • On request, we hold tailored information sessions – for example, we have already given a session on spear phishing for the Finance Department. This is greatly appreciated and leads to greater involvement."
  • How do you raise awareness around information security among students?
    • "Reaching students requires a distinct approach. We try to be visible as much as possible, for example in the libraries, learning centres and at the student welcome at the beginning of the academic year. 
    • We find that playful gadgets help get our message across: for example, we have already run campaigns with fortune cookies that each contain a tip around information security, as well as with printed apples ("Better a worm in your apple than in your PC"). 
    • Our Easter egg campaign was particularly successful. If we give you an Easter egg with a yellow piece of paper and we tell you it contains milk chocolate, will you believe it blindly? Or are you going to check it first? The point we wanted to make is simple: always remain critical and use common sense, even on the Internet.  
    • When implementing multi factor authentication (MFA), we initially encountered a lot of resistance from students. We were able to eliminate that through a targeted campaign with challenging slogans like "Why cram when our points will soon be up for grabs anyway?" We put out a call for students to come up with their own slogan for MFA. "Check it twice, don't roll the dice!" emerged as the winner. 
    • These campaigns are not one-shots, but structural initiatives. The key message we weave into it is that you're not just doing it for yourself, you're doing it for the safety of the entire university."    
       

Insurance

  • What have been the key success factors for the e-mune programme?
    • "First and foremost, the active involvement of the various departments at the university. Regular consultation gives us a good view of the various departmental needs and ensures better dissemination of our messages within the various sections of the university. We are also committed to embedding e-mune into existing communication structures and administrative processes. 
    • The buy-in from the university administration has also been indispensable in taking e-mune to the next level. Our general manager is a major sponsor of digital information security and has therefore actively supported the roll-out of our phishing simulation platform. 
    • We are also given the freedom through policy to work quite autonomously around security awareness. It obviously helps that our 'core group' has sufficient organisational awareness of what can and cannot be done. We can be creative and come up with some playful ideas, but we are also careful not to create any controversy. We also regularly respond to current events, which makes our target groups feel more involved and security does not become a distant reality. 
    • Internally, we are positioning the e-mune programme as an insurance policy – something we invest in long-term, but hope never to need. Of course we want to get results, but it should not become a short-term 'return on investment' story."

Learning culture

  • What tips can you pass along to other R&E institutions that are working on awareness?
    • "Start small and build up. We started with small steps and gradually expanded the programme. At some point, you need to have leverage anyway to shift to the next level. But don't let a lack of a formal policy decision stop you from starting certain things bottom-up already. 
    • Budget should not be a major obstacle in principle either. You can already achieve a great deal with limited resources, as long as you have motivated people and the right expertise.
    • Another important lesson is the importance of a positive approach. We avoid blaming and shaming. We are positioning e-mune as a training programme, not a punishment. By focusing on a learning culture and open communication, we have created an environment where employees feel comfortable asking questions and reporting incidents."
  • What are the challenges? And what does the future of e-mune look like?
    • "Maintaining the attention of staff and students remains a challenge. We need to keep thinking about how to draw attention to our content. It is an illusion to think that users will figure this out on their own.
    • It also remains important to continually evaluate and adjust the programme based on feedback and new developments. For example, as part of the onboarding, we plan to develop a concise slide deck with the basics of e-mune. That way, new employees will be informed of our security standards and procedures from the outset. 
    • In addition, we plan to expand our website to include some practical guides on how to deal with security and privacy incidents. Responding correctly to incidents should become a reflex – something like 'stay calm, call 112' in the event of an accident.
    • Furthermore, we are thinking of working with ambassadorship. In our training tool, our employees can also obtain certificates. We are pleasantly surprised at how many colleagues are really actively engaged in this. They would be perfect ambassadors for e-mune."
  • Will the e-mune programme ever become obsolete?
    • "Security is always an ongoing story: we have MFA, but also still require strong passwords. One measure does not render another unnecessary. Moreover, security risks are constantly evolving, and awareness may well be needed on an ongoing basis. What matters is which part of our organisation has a growing awareness, recognising and mitigating risks. A group we would like to see continue to grow. And where is that ever going to stop? When will you reach your saturation? No idea. We want it to be active in people's minds and talked about."

Want to know more?

KU Leuven's e-mune programme is a great example of how a university is successfully dealing with the challenges of security awareness. Through a structured approach, targeted campaigns and effective communication, KU Leuven has succeeded in creating a culture of information security. If you want to learn more about the e-mune programme, be sure to register for the GÉANT Awareness Community's online session on Tuesday 14 November. Keep an eye on the GÉANT Security website for more info or sign up for the Security Awareness mailing list!

Did you find this news interesting?
Copyright © 2024 Belnet.