Xavier University of Louisiana

The Challenge

Xavier University of Louisiana’s CISO Gregory Jones knew that every one of the university’s 3,000 students and 800 faculty and staff members needed to understand their part in safeguarding the institution against today’s advanced cyberthreats.

Jones and the team of the university’s IT professionals are responsible for the governance of the university’s infosec program, the creation and implementation of policies, compliance management and other key responsibilities, like training and sourcing vendors.

Jones understood the risks the dark web poses to schools and colleges, where student and staff credentials could be leaked onto various forums and put up for grabs by malicious actors. This could result in a multitude of cyber risks, potentially devastating the institution and its people. He needed a way to understand just how many credentials were, or are, being dumped on the dark web and maybe even identify the sources of the leaks.

The next hurdle was conducting security awareness training for a large student body. Many students at the school utilize loaner laptops and tablets, highlighting the need for increased endpoint security and cyber hygiene education. Before Jones became a part of Xavier University’s IT team, the institution utilized a tool that did not offer the type of training materials needed to educate students and staff on cybersecurity. The training courses were also lengthy, often extending past 30 minutes, making it difficult to keep learners engaged and impairing knowledge retention.

Additionally, the rise in social engineering by cybercriminals, particularly on social media, poses significant risks to students, from extortion to the threat of human trafficking, extending the university’s cybersecurity concerns beyond just business email security. To address these risks, the school needed additional custom training.

The Solution

In order to overcome these challenges, Jones sought out dark web monitoring and security awareness training solutions. Xavier University was already a Kaseya backup solution customer, which led Jones to discover ID Agent’s Dark Web ID and BullPhish ID.

Dark Web ID is a dark web monitoring solution that scans the dark web for exposed credentials and PII, alerting organizations to potential security threats.

After implementing Dark Web ID, Jones and his team uncovered an alarming number of compromised credentials for the school’s email addresses, numbering in the hundreds. These credentials had been circulating on the dark web, stemming from data breaches, some of which dated back years ago — a time when rigorous IT security and email policies, particularly concerning user password management, were not as stringent as they are today. These older compromises still presented a problem because the school keeps the email accounts of former faculty members active for regulatory reasons.

When it came to tackling the problem of training more than 3,800 students and faculty, BullPhish ID delivered on all expectations. BullPhish ID phishing simulations and frequently updated video training modules enable institutions to strengthen the vigilance and security knowledge of their students and staff. Through short, engaging video training and realistic phishing simulations, it teaches learners to spot and avoid cyberthreats, such as phishing and social engineering tactics.

BullPhish ID gives Jones and his team the ability to create their own custom training content to augment the extensive course selection within the product and use the BullPhish ID platform to deliver it. The solution also allows the team the flexibility to conduct phishing simulations at random on a bimonthly basis, varying the exercises by job function or department to obtain performance metrics for progress tracking and determining future training direction.

Results

The discovery of numerous credentials on dark web forums prompted a significant overhaul in the university’s approach to security, leading to enhanced measures to protect its user base from vulnerabilities via exposed usernames, passwords and PII. This helped the team further improve their security training programs and password policies to ensure user credentials were better protected.

After implementing BullPhish ID, Jones received positive feedback from the faculty, students and staff members. The training makes them feel better informed and prepared to deal with cyberthreats. The fact that BullPhish ID enables the IT team to customize training material and phishing simulation kits to target specific faculty and staff members further improves their user experience, all while strengthening the university’s cyber resilience.