Cybersecurity Awareness Checklist for Educational Institutions
Education has become a growing target for cybercriminals, with breaches up 103 percent in 2017, according to Gemalto. These breaches are mostly motivated by financial gain; Verizon's 2018 Data Breach Investigations Report (DBIR) found this to be true in 70 percent of incidents.
Educational institutions can't afford to think of cybersecurity as an afterthought. The data and systems that comprise a network are essential to keeping schools and universities running as they should. A lot of responsibility has been placed on networks as the infrastructure of data and information, so network protection is paramount.
Phishing simulations & training
While education may seem like a less obvious target than banks, think of the goldmine of data educational institutions have. Student and staff personal information is especially at risk. Thus, preparation and proactive strategies are necessary.
Start by reviewing this security checklist for education and implementing any of these approaches not currently in use.
The Education Checklist for Optimal Cybersecurity
1. Separate student and admin networks. When separate, the network with the most secure information will have stronger security than systems that students use for communication and information.
2. Always update patches so that the system is always using supported software and operating systems. If patches are not updated, these unsupported systems are ripe for compromise. This goes for all devices on the network in addition to PCs — devices like smartphones, tablets and any Internet of Things (IoT)-connected equipment.
3. Establish a backup program. This will be essential if an institution is hit by a ransomware attack. Consider this part of a business continuity plan. A redundant system at an offsite location is critical.
4. Take anything offline that can be. With fewer systems online, attackers have less options to infiltrate. This could include printers, cameras, and TVs.
5. Offer
security awareness training for all staff and users. Make sure they understand how to spot a phishing attempt so that they don't click on things that are bait for introducing malware or ransomware onto the network.
6. Test for vulnerabilities
regularly. At least quarterly, perform an external vulnerability assessment. Find the gaps before a malicious actor does.
7. Document incident response plans. Don't guess at what to do when there is a breach, have a plan of action instead. Keeping a formal plan improves your ability to minimize an attack or breach if it does occur. Also make sure that any employee or user knows what to do in the case of a security incident.
8. Lock down any devices that have access to the network after a certain amount of idle time. This prevents an inside threat from getting into a system they don't have access.
9. Develop a BYOD (Bring Your Own Device) policy for anyone who access to the network, which would include students, faculty, staff, and visitors. While BYOD is great for the classroom — integrating technology into learning — it can leave networks vulnerable. Monitoring and risk assessments should be in place for the Wi-Fi that each of these devices will use.
10. Institute a strong password policy. That policy should include requirements like:
- Don't use the same passwords for multiple accounts or devices
- If possible, require that passwords be a minimum of 8-12 characters and include upper and lowercase letters, number and special characters
- Warn against the use of words that could easily be identified, such as names, addresses, Social Security numbers and birthdates
- Advise against storing passwords in browsers, as these can be easily revealed once a cybercriminal has access to a device
- Avoid logging into secure systems on other devices that aren't their own, or unsecured Wi-Fi hotspots without a VPN
- Change passwords every 90 days or less. Reminders should be sent to parties at least 10 days before
- Employ two-factor identification if possible
- Do not share passwords with anyone
11. Maintain antivirus software and ensure it's always up-to-date. Enable automatic updates when possible. Ensure the software scans the network regularly for viruses.
[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]
12. Dispose of anything related to information technology — data or equipment — in a secure and proper manner. Devices should be cleaned with any data removed.
13. Build awareness by participating in National Cyber Security Awareness Month (NCSAM) every October. Make this a time to engage users about security concerns. Host online and offline events to educate and inform. Share tips and information via social media and on the institution's website.
14. Ensure compliance with all regulations within your security protocol. As an educational institute, these regulations may include HIPAA, HITECH, FISMA and PCI DDS. When developing your programs for cybersecurity and business continuity, you cannot forget compliance. Depending on the type of institution and the data stored, there is no optional compliance. It's mandatory and must be considered.
15. Measure the effectiveness of network security policies. Simply because there have been no breaches doesn't mean that the policy is foolproof. By paying attention to metrics around how well the network holds up, educational institutions can also measure how well staff are doing to comply with security protocols.
16. Secure physical access to any on-site servers. These should be held in an area with strict access. Make sure this access is by key card and that only those with a need can enter the space.
17. Minimize administrative privileges. If a cybercriminal is able to breach a device with administrative privileges, it will be much easier for them to do damage. IT decision-makers should limit the number of users with admin rights, with only a handful of users having this designation. Regular students and faculty should never be given access to the student's system, as they have no reason to need it. Unless someone really needs such access because it's a function of their job, don't set it up!
Conclusion
Educational institutions have a lot of responsibility when it comes to protecting data and their networks. With appealing data to steal, cybercriminals will continue to take aim, so institutions can't be sitting ducks. With a robust network and this comprehensive checklist, institutions can reduce their weaknesses.
When there are less vulnerable spots, malicious actors may find it too "hard" to break-in and turn their sights somewhere else. Regardless of the threats, having a strategy that focuses on prevention first, mitigation second should work to keep networks safe.
Sources
Ransomware still a top threat, warns Verizon 2018 Data Breach Investigations Report, Verizon
Phishing simulations & training
Breach Level Index 2017 Report, Gemalto
In this Series
- Cybersecurity Awareness Checklist for Educational Institutions
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness