4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
Cyberattacks on education institutions increased by 43% in 2022, making the education/research sector the number one most hacked last year, according to Check Point’s latest data. High-profile attacks on large public school systems like LAUSD drew quite a bit of media attention, as did attacks on higher education institutions such as Lincoln College. With the move to digital and hybrid learning models and new digital tools and devices in the classroom and beyond, opportunities are ripe for hackers.
Security awareness training is a crucial aspect of protecting both personal and professional information. However, many institutions make mistakes when creating and implementing security awareness training programs which impact their overall effectiveness and, ultimately, the university’s security. In our experience at Infosec, these are four common mistakes universities make with cybersecurity awareness training.
In this article, we will outline those mistakes and what you can do to help keep your campus or campuses safe.
1. Not customizing training
Not customizing training and making it relevant to different faculty and staff — or different campuses — within your institution is one of the biggest mistakes. Don’t roll out the same security awareness training for all employees. The training should be tailored to the specific needs and responsibilities of each faculty or staff member.
For example, a financial analyst may need training on handling sensitive financial information, while an enrollment representative for a university may need training on how to spot and handle phishing attempts since they often receive emails from people they don’t regularly interact with. By making the training relevant to the role, they will be more likely to pay attention and retain the information.
2. Not making it interactive and engaging
Many institutions create security awareness training that is dry and boring. Faculty and staff are more likely to pay attention and retain the information if the training is interactive and engaging. This can be done through quizzes, fun games and simulations that make the training more interesting.
Sometimes even a live 5-minute walkthrough with an internal or external subject matter expert (SME) can add a level of excitement, interaction and vitality to stale security awareness training programs. These SMEs are usually very plugged into the industry and can provide valuable insight into recent cases seen in the media and on social media platforms. Often faculty and staff hear about these incidents but having the background explained to them so they understand how it relates to their training drives home the impact and sparks the behaviors security leaders want to see. Using recent events as teachable moments grabs employees’ attention in a way that dry statistics can never do.
Some institutions have even ramped up their creativity by using social media to provision and deliver some security awareness training.
3. Not providing ongoing training
Another mistake universities make is not providing ongoing training. Effective security training can’t be relegated to an annual chore to “check the box.” Awareness needs to be continually reinforced in order to inspire a security culture shift and drive safe employee behaviors. This cultural shift was evident at Snow College in Utah, where training and continual reinforcement helped to drive the awareness security leaders were looking for.
Security threats are also constantly evolving, and faculty and staff need to be updated on the latest threats and how to protect against them. This can be done through regular training sessions, emails or newsletters highlighting the latest threats and best practices for protecting against them. Given the rapid news cycle and the use of social media, we tend to easily forget things that didn’t happen recently, so continual reinforcement is key to combatting “recency bias.” Approaching cybersecurity as a marketer and building a campaign around the program will help to keep folks engaged regularly and, importantly, more easily able to retain the information they need to be cyber-safe.
4. Not measuring effectiveness
Finally, universities often make the mistake of not measuring the effectiveness of their security awareness training. This can be done by testing faculty and staff before and after the training via simulated phishing attempts or by monitoring employee behavior to see if they are following the best practices taught in training.
For example, most companies have an average phish rate of about 30%, meaning about a third of their workforce is at risk of clicking on a phishing email. However, immersive training programs with realistic phishing simulations can drop phishing rates to as low as 1%. By measuring the effectiveness of the training, institutions can identify areas where the training needs to be improved and make changes to ensure that faculty and staff are well-equipped to handle security threats. While identifying areas of improvement is key, celebrating successes should also be part of the process. At the International Institute for Education (IIE), they highlight the “catch of the week” to reinforce good practices but in a positive way that resonates with their employee base.
With the innovations that have surfaced due to advances in machine learning, natural language processing and other feeders of artificial intelligence, we have more ways to view data and rate effectiveness than ever before. Currently, the very malicious actors we are trying to protect against use these technologies to improve their phishing attacks against our end users in real time. If we don’t evolve to measuring and adjusting at a similar rate, we risk becoming completely ineffective when it comes to security awareness.
Building a security awareness program
Security awareness training is an essential aspect of protecting both personal and professional information. While having the right safety nets in technology in place (such as multi-factor authentication and single sign-on) is key, those technology investments will only go so far if even one employee falls risk of a cyberattack.
Effective cybersecurity awareness training is crucial to mitigate those risks, and by implementing a program correctly from the start, universities can ensure that their faculty and staff are well-equipped to handle security threats and protect sensitive information.
Have questions about security awareness training? Learn how Infosec IQ can help your higher ed cybersecurity awareness program.