Teach Users Smart Security Habits and They Become Partners in Cybersecurity

Technology solutions are a proven line of defense for higher education institutions seeking to protect themselves from the growing threat of cyberattacks. However, even in the most sophisticated systems, users still have an important role to play: practicing security awareness and developing savvy digital habits.

People, together with technology and institutional policies/procedures, make up the three-pronged approach on which comprehensive security strategies are based.

IT experts regularly confront the challenging reality that users, rather than being partners in cybersecurity initiatives, are often the weakest link.

A recent Verizon study found that recipients of phishing messages opened almost one third of these compromised emails. Ideally, that number would be decreasing as the public becomes more alert to such tactics, but this is actually a 23 percent increase over 2014. The study also found that the percentage of users who clicked links in malicious attachments (11 percent) has not improved since 2014.

Despite institutions’ best efforts to enlist the help of the campus community, many still struggle with this challenge. For some, finding new, more effective ways to educate users remains one of the best solutions out there.

Make Security Training More Effective

Hackers, like most criminals, tend to choose the path of least resistance. Most intruders exploit vulnerabilities that are widely known and well established, such as vulnerable passwords. Weak, default or stolen passwords are responsible for 63 percent of data breaches, according to Verizon’s study. This is true despite the fact that most users — at least in theory — recognize the importance of secure passwords. Similarly, most users are aware of phishing and its potential to cause serious damage to individual and institutional systems. Yet phishing attempts remain one of the quickest and easiest ways for an intruder to gain access.

One way to fight this threat is to identify groups that may be more vulnerable to phishing attempts. The University of Nebraska at Omaha, for example, recognized that international students may have trouble identifying suspicious emails if English is not their first language or they are unfamiliar with typical practices of American banks, businesses and government agencies. It enlisted help from the International Studies and Programs division to start educating these students about cybersecurity as soon as they get to campus. Such programs can let students know that clicking on links from unknown senders or sending personal information via email can be dangerous.

The University of Dayton has revamped its security awareness training, kicking off in January a yearlong “cyber mindfulness” campaign to teach users to consider the potential security risk in every digital action they take. CIO and Associate Provost Thomas Skill says the university recognized that traditional “one-and-done” training programs often fall short when it comes to actually changing behavior. As an alternative, it implemented a series of proactive activities, including more frequent phishing tests; regular communication about security news, updates and warnings; and prizes and incentives for users who achieve certain security goals.

Another strategy, recommended by the Research and Education Networking Information Sharing and Analysis Center, is to give employees frequent security reminders, such as every time they are given access to a new application.

Recognize Unique Audience Needs

The University of Wisconsin–Madison developed audience-specific education training as part of its five-year Cybersecurity Strategy plan in 2015. One of the plan’s top strategic objectives was to “Build a community of experts and improve institutional user competence through security education, training and awareness.” The plan calls for IT security staff to develop group-specific education for professors, researchers, business staff and IT professionals.

To address the need for ongoing education about phishing attempts in particular, the plan also calls for quarterly phishing campaigns. Most important, the university measures campaign results to ensure that the ultimate goal — reducing the number of users who respond to phishing attempts — is being achieved.

Even as technology solutions grow more sophisticated and effective in helping institutions protect their data, users and resources, security threats seem to have little trouble in keeping pace. Enlisting the campus community as a knowledgeable, committed partner by helping users develop smart online habits will go a long way toward ensuring that institutions stay one step ahead of the threat.

For best practices on improving cybersecurity on campus, check out the following videos:

• Higher Ed Can’t Afford Weak Links in IT Security
• Weak Passwords Pose Cybersecurity Risk for Campus Networks
• Campus Networks Require Multifaceted, Modern Cybersecurity

This article is part of EdTech: Focus on Higher Education’s UniversITy blog series.