This year, you received messages from Yale's Chief Information Security Officer (CISO). These messages outlined your role in protecting Yale from different cybersecurity risks.
But how do we determine what those risks are? How do we plan to ensure we are staying ahead of the ever-changing cybersecurity threats?
In December, we review and report on the top risks facing Yale. We share this report with the Yale Board of Trustees.
So, what is on our mind? What real risks did we face, and will we face in the coming year? Read below to find out.
2023 Risk Review
Two major risks in 2023 included social engineering and accountability.
Social Engineering
Social engineering manipulates people into sharing personal or confidential information. It’s a favorite tactic of cybercriminals that accounts for 98% of cyberattacks.
Here at Yale, we mostly see these attacks in the form of phishing messages. These are fraudulent emails or text messages aiming to steal our credentials or other sensitive information.
We’re all busy, and cybercriminals use that to their advantage. They often play on fear and urgency to trick us into sharing information we normally wouldn’t. That’s why we focused our awareness efforts on recognizing these attacks and what to do.
Our “Recognize, Relax, Rethink” campaign focused on:
- Recognizing red flags indicating suspicious messages
- Relaxing before reacting and take a moment to breathe and pause
- Rethinking the way you respond
The truth is, any one of us can fall for a social engineering attack. They are that sophisticated. These three steps can help keep you cyber-safe and prevent you from falling victim to the attack.
Accountability
Everyone has a responsibility for securing Yale’s systems and data. This year, we focused on everyone’s responsibility to report suspicious online activity.
We addressed the hesitation someone can feel when we suspect something is wrong. This is why we emphasized the “Bee SAFE, Not Sorry” model. When it comes to reporting an incident being SAFE means:
S - See something suspicious
A - Act quickly
F - Follow instructions
E - Exercise discretion
You know your work better than anyone. If something seems unusual or suspicious, don’t ignore it. Go with your gut. Report any and all suspicious cyber behavior.
Looking ahead to 2024
Social Engineering
Sophisticated phishing attacks continue to intensify. New multifactor authentication (MFA) will improve protections against this threat. The community must continue to be vigilant. Please continue to report these messages. Even if it ends up being nothing, it is better to be safe than sorry.
Accountability
We see evidence of an improved understanding of the responsibility everyone has for securing Yale’s systems and data. We also see that incentives are not always well aligned with properly prioritizing cybersecurity risk management work. A new security dashboard will allow leaders to understand their security posture relative to their peers and adjust resources accordingly.
Securing Research Data
A newer risk emerging at the top of the list has to do with securing research data. Increasing security requirements for research are being addressed through coordination between the Information Security Office, research groups, and other stakeholders. This will help maintain Yale’s security posture as demand for regulated research environments grows.
In 2023, the Yale community showed their support for our cybersecurity program efforts. We thank you for your ongoing commitment to doing your part in protecting Yale’s data and systems. We look forward to partnering with you in the new year!