Cybercriminals have the higher education industry in their crosshairs.
According to certain reports, higher education accounted for 13 percent of all data breaches in 2017, with only the healthcare and financial sectors being targeted at a higher rate.
This is no surprise: personal data (of everyone from alumni to staff to faculty), academic research, and cross-institutional records make attractive targets for hackers.
Several cybersecurity incidents have been publicly announced by higher-education institutions, such as:
- A University of Maryland database breach targeting the university’s network revealed the records of 287,570 affiliated personnel, students, faculty, and staff
- A hack of UCLA’s health system may have exposed records of more than 4 million patients
- A 2017 ransomware cyber-attack on University College London may have damaged the files stored on its systems
The information at risk is often that of young individuals laying the foundation for their education and professional lives. Imagine a hacker with access to your Social Security number while you’re still 18. How could that disrupt your ability to get a loan, buy a car or get a job? A decade later, what would happen when you apply for a housing mortgage?
Colleges and universities find themselves locked in a costly arms race as they try to install new tools and modify their tactics to mitigate the latest cyber attacks. However, the attackers continue to switch schemes, find ways around the tools, and hit different victims.
In other words, technological defenses can only go so far. No matter how versatile an institution’s cybersecurity software may be, its end users lead the line of defense during an attack.
That’s where security awareness comes in.
Awareness often takes a backseat due to the busy lives of faculty, and hectic schedule of students. However, it’s important to educate faculty, students, and staff about security awareness if higher education wants to stand a chance against digital crime.
What Can Higher Education Institutions Do to Raise Awareness?
Security is a success-driver when done right, and a considerable risk with potentially devastating consequences when it fails.
Here are five ways higher education institutions can raise awareness on security.
1) Simulated Phishing Exercises
Students, faculty, and staff can be educated on security via simulated phishing.
Universities can build phishing campaigns in-house, where IT can send out fake phishing emails with embedded links. Anyone who clicks on any of the links is redirected to a web page that informs them of the simulation exercise and provides further security-related information.
Alternatively, institutions can partner with organizations who offer phishing simulations in the form of videos, modules, and games. Most vendors will be able to customize awareness training to fit the needs of several types of institutions.
2) Data-Sharing Lectures
Students and faculty members share a variety of personal data through apps and other online services. Specific apps ask to access or use far more data than they need in exchange for free services, and some of them are designed by adversaries who are looking for gateways into institutions.
Personal data can be used to guess passwords and gain access to a device that may contain sensitive data about a college or university. Therefore, lectures should be arranged about data sharing via mobile apps and social networking sites, where the focus should be on reading user agreements to check the amount of data requested before someone downloads a new game or tries a new service.
3) Incentives
Incentives can help boost behavior changes, and industries have turned to using awards to make security-awareness education more interesting.
For instance, schools may award prizes to students, faculty, and staffers who flag a vulnerability, while the IT department may compete for a monetary reward based on who can identify the most security threats.
On the flip side, those who engage in unsecured browsing and device usage behavior will hear about it too. In fact, incentives may encourage staffers to take their institution’s security seriously and become part of the first line of defense against attackers.
4) Institution-Wide Security Hygiene
Everyone from students to external stakeholders should be educated on the significance of security hygiene.
Colleges need to start enforcing an acceptable-use policy, where all devices and workstations are locked down by stakeholders and signed out when they’re inactive. Training programs should be set up to educate end users about the importance of strong passwords and timely updates of devices’ operating systems.
Research what individuals require and create baseline rules for essential security controls that should be followed at all times. Students can also be asked to access university applications through a secure portal that keeps data secure and doesn’t place restrictions on student-owned devices.
5) Executive On-Campus Sponsorship
Get buy-in from campus leaders to ensure that a culture of security spreads through an institution. Top individuals, like the president of the student union, can be tasked with the executive responsibility to drive awareness and keep things on track, and they should report to the upper management directly.
This will give institutions the best opportunity to ensure that their security goals are balanced with other risks, like lack of student interest. To keep interest high, campus leaders can arrange events like a “security awareness day” with activities.
Conclusion
Security awareness offers several key benefits to higher-education institutions. It helps them facilitate behavioral change to mitigate potential risks, comply with laws, and reduce unnecessary cost.
However, instead of relying entirely on information-security professionals to prevent infiltration and minimize vulnerabilities, institutions should bank on the persons within to learn and digest new information about security.
By taking the measures mentioned above, schools will be in a better position to create a culture of continuous learning and security awareness.
Sources