Dec 20 2017

4 Security Resolutions for Higher Education Institutions

As the new year approaches, users and IT teams should focus on developing better security habits.

Higher education institutions made a lot of headlines for security this year, and not in a good way.

Data breaches in the education sector went up 103 percent in just the first half of 2017, security firm Gemalto reported.

The Digital Citizens Alliance found 14 million email addresses and passwords from faculty, staff, students and alumni at U.S. universities for sale on the dark web.

But, as 2017 comes to a close and a new year with new emerging security threats begins, universities should take some time to think about how they can do better this year.

We’ve got four resolutions for them.

1. Practice Caution with Suspicious Emails

In May, about 1 million Android users of Gmail received a familiar email inviting them to collaborate on a Google Doc with a fellow student or teacher. However, instead of launching the doc, clicking the link resulted in a hack of the user’s email account.

This is just one instance of spear-phishing at universities, or targeted phishing scams that look trustworthy. In 2017, some students were phished with emails that mirrored official communications from their college president. University employees fell for fake requests for invoices that installed malware on their computers.

“[Hackers] are looking at branding, messaging and how we interact with each other. We’ve never seen scams get that sophisticated before,” said Gary O. Roberts, information technology director at Alfred University, in an Inside Higher Ed article.

In the coming year, as phishing scams likely become more sophisticated, higher ed end users should make sure they know a link is legitimate before they click on it. And, if that seems impossible, they should contact IT to report the email.

On its SecureIT blog, Michigan State University supplied these 10 tips to spot a phishing attempt:

  • A generic greeting is used, like “Dear Email user”
  • A forged sender’s address or a strange looking email address appears
  • There is a request for immediate action that seems threatening
  • The included link doesn’t match the URL in the email body when hovered over
  • The email links to a login page
  • The email looks like a web page
  • The URL in the email contains an “@” sign
  • The email has poor spelling and grammar
  • A link leads the user to a web page that doesn’t begin with “https”
  • The email includes an unexpected attachment

2. Improve Your Cyber Hygiene Habits

Good cyber hygiene, or the basic habits that keep users safe on the web, is also a part of avoiding phishing attacks. Cyber hygiene can also work to keep data safe and networks secure.

While it seems simple, Pew Research Center has found that people largely don’t know the basic steps to being more secure. Helen Patton, the CISO of Ohio State University, wrote on EdTech that the best way for university leaders to make sure that staff members are being cautious on campus is to encourage them to be safe at home.

“Traditionally, security professionals have limited their sphere of concern to the institution, but the walls between work and home are now nonexistent,” Patton wrote. “The security of the institution depends on the security habits of staff, wherever they happen to be.”

Foundationally, good cyber hygiene starts with creating strong and unique passwords. A Keeper Security survey found that 87 percent of respondents ages 18 to 30 reuse the same password, meaning that if a hacker got their credentials for one thing, everything would be compromised.

Patton also recommended that universities embrace multifactor authentication for their services, so security remains if something is compromised.

3. Prep for Continuity No Matter What

In 2017, hackers also got creative with distributed denial of service (DDoS) attacks and a new attack method made them even more efficient to conduct. Though preventing a DDoS attack altogether might be nearly impossible, universities can mitigate the consequences of one by preparing like they would for a disaster.

“For an organization that depends on servers and internet presence, it is important to make sure that resources are geographically dispersed and not located in a single data canter,” wrote Rachel Kartch, cybersecurity analysis lead at Carnegie Mellon University, in a blog post.

In addition to different physical locations, data centers should also have different networks and paths. After that, Kartch recommended that universities invest in modern firewalls and load balancers to help network operators close connections once they reach a certain threshold.

4. Practice Constant Security Vigilance

No matter how many cyber hygiene habits users have adopted or preparations IT have put into place, security is always going to remain an issue for higher education institutions. As more technology is put in place, more vulnerabilities will appear.

For example, Internet of Things devices such as smart thermostats and beacons can be invaded by botnets that can wreak havoc on university networks.

To keep networks protected from emerging threats like this one, university IT staffs must stay vigilant and monitor everything.

monsitj/Getty Images

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.