Security Awareness in Higher Education
Cyber thieves have the higher education industry in their crosshairs. According to some reports, higher education accounted for 13 percent of all breaches, with only financial and healthcare firms being attacked at a greater ratio. Moreover, why shouldn't they? Personal data (of everyone from alumni to staff to faculty), academic research, and cross-institutional records provide attractive targets for adversaries.
The higher education industry has experienced several cybersecurity incidents, like:
Phishing simulations & training
- Database breach targeting the university's network revealed records of 287,570 affiliated personnel, students, faculty, and staff.
- Hack of a university's health system may have exposed records of more than 4 million patients.
- Ransomware cyber attack on a top university may have damaged the files stored on its systems.
If the issue is humanized, the information at risk is often that of young individuals who in the majority of instances are stepping foot in the professional world. If hackers manage to access their information, things could get ugly down the road. In fact, it could lead to identity theft and disrupt your chances of securing a mortgage, paying college fees, etc.
Educational institutions find themselves stuck in a maze as they attempt to modify their security posture and deploy new tools for mitigating the latest hacks. At the same time, adversaries are coming up with ways around the security defenses. Hence, security defenses can only protect data to a certain extent. No matter how robust a higher ed institute's cybersecurity software may be, its end users would lead the line of defense during an attack.
That's the main premise of security awareness in higher education.
Conventionally, awareness often takes a backseat due to the busy lives of faculty and hectic schedule of students, but efforts to educate everyone in an institute's premises and its partners need to be stepped up if higher education wants to stand a chance against sophisticated cybercrime.
What Can Higher Education Institutes Do to Raise Awareness?
Security is a success driver when done right, and a significant threat with potentially destructive outcomes if it malfunctions. Here's how higher education institutions can raise awareness on security.
1. Stimulated Phishing
Stimulating phishing can be used to educate all stakeholders (staff members, faculty, and students). Educational institutes can set up campaigns where phishing exercises are performed in-house. Work with your IT team to create fake phishing messages with links that point to blank websites. Anyone who opens the fake email then gets redirected to the harmless site, but receive a notification about the exercise as well as further information on how to be safe. Alternatively, institutions can work with companies that specialize in stimulating phishing exercises (like games, modules, etc.). Awareness training can be customized according to the requirements of different institutes.
2. Data Sharing Lectures
Faculty staff and students share several forms of personal data when they use smartphone apps and social media networks. Certain apps require them to grant access to far more data than needed in an ideal world in exchange for access to their features. What stakeholders don't know that some of them serve as "back doors" for hackers. Once hackers gain access to your personal data, they can attempt to log into your account, and access information related to your institute. Therefore, it's a good idea to schedule lectures that talk about data sharing on an overall basis. The focus could be ongoing thorough user agreements before someone downloads a new game or tries a new service to see if too much data is being requested.
Incentives can help boost behavior changes, and industries have turned to using awards to make security awareness education more interesting. For instance, higher ed schools may award prizes to students/faculty/staffers who flag a vulnerability, while the IT department may compete for a monetary incentive over who spots the most security-related vulnerabilities. The benefit of this approach is that those unintentionally engaged in unsecured activities (like using devices without anti-virus installed) will hear about best practices too. In fact, they may be motivated to take their institute's security seriously and become a part of the first line of defense against looming threats.
[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]
4. Institute-Wide Security Hygiene
An acceptable use policy, where stakeholders lockdown and sign out of devices when they're not being used, should be enforced institute-wide. Also, training programs should be set up to educate end users about the importance of strong passwords along with timely updates of devices' operating system. See what people need and establish baseline rules. These rules should be strictly followed at all times. Also, you can set up a secure portal that keeps information safe and doesn't limit activities on student-owned devices.
5. Executive On-Campus Sponsorship
One of the best ways to ensure that a culture of security is driven throughout an institute and that sufficient interest is present for arranging security awareness training on an ongoing basis is to get buy-in from campus leaders. Those at the upper end of the hierarchy, like presidents of different societies, can be given the responsibility for driving awareness and keeping things on track, and they should report to the upper management directly. This will give institutions the best opportunity of ensuring that their security goals are balanced with other risks (lack of interests from students) their business faces. Campus leaders can arrange events like a 'security awareness day" with fun and engaging activities to keep interest high in security awareness campaigns.
See Infosec IQ in action
Security awareness provides a variety of benefits to businesses in the higher education industry. It allows them to accelerate behavioral change to reduce unnecessary cost, mitigate threats, and comply with policies. However, instead of relying on Information Security professionals to prevent infiltrations and minimize vulnerabilities, institutes should bank on the persons within to learn and digest new information about security. By taking the measures mentioned above, schools would be in a better position to create a cycle where the learning is continuous, and combined efforts result in the building of a culture of security awareness.