In Cybersecurity, There’s No Such Thing as Too Much User Education
College and university IT systems house a significant amount of sensitive information, from Social Security numbers to confidential research data, and that means they’re likely to remain a desirable target for cyberattacks. In the past year, 60 percent of schools have experienced a data breach, according to a survey conducted by CDW.
The common thread in many cyberattacks, according to a 2017 report from KPMG, is a failure to enforce controls around the identity layer. That makes it possible for cybercriminals who obtain a user’s login credentials to access the network. Nabbing those credentials can be fairly easy if users engage in unsafe behaviors, such as sharing passwords or providing personal information when they shouldn’t. Unfortunately, CDW’s survey shows that some students do both of these things, despite efforts to discourage them.
To protect individual and institutional information, it’s critical to continually remind stakeholders about safe practices, together with lessons learned when a breach does occur. Getting students, faculty and staff to absorb and put that information into practice, however, isn’t always easy. In fact, higher education IT pros say that educating users about security policies and procedures is their top cybersecurity challenge.
Diversify Your Cybersecurity Communication Strategy
Start outreach early, as soon as individuals join the campus community. The Readiness and Emergency Management for Schools Technical Assistance Center recommends that IT staff outline responsible use policies in the orientation materials provided to new faculty, employees and students — and continue to provide reminders on an ongoing basis.
Certain information, including threat alerts and notifications, can be shared via social media. Some IT departments struggle with this because regular posts can be time-consuming to produce, and users tend to expect fresh content on social channels. To overcome those challenges, EDUCAUSE recommends delegating posting responsibilities to a small team of employees.
Institutions can also highlight recommended safety practices with a cyber awareness campaign. Using a variety of outreach channels, such as augmenting social media messages with signs posted on campus and articles in the campus newspaper, can drive the point home, according to the National Cyber Security Alliance. Finally, to warn users about potential and actual threats in real time, some institutions send security alerts and advisories via email or another channel. Washington University in St. Louis, for example, tells users about specific phishing campaigns hitting campus as IT becomes aware of them, including the specific language that users should watch out for.
To ensure recipients read and understand these messages, keep them brief and avoid using too much tech jargon. The email subject line is also a valuable opportunity to get readers’ attention, EDUCAUSE says. Provide enough detail so that recipients recognize the message as a high priority.
Benefits of Disclosing Data Breaches May Outweigh Negatives
If a breach does occur, CDW notes that the vast majority of institutions favor transparency, with 91 percent of IT pros saying they have communicated the news to the student body.
Understandably, some institutions worry that divulging a breach may cause damage to their reputation. Yet it also stands to reason that if users aren’t aware of specific threats around phishing and malware, they could lapse into risky behavior that creates far worse issues.
IT departments take ample measures to safeguard networks and systems, and in most cases, these solutions and practices provide adequate protection. However, the reality is that many hackers target what’s likely to be a network’s weakest point, and that’s the people who use it. If faculty members, students and other users don’t know to check a URL or confirm that a message came from a legitimate address before they start keying in their user ID and password, even the most technologically secure system can — and will be — at risk.
This article is part of EdTech: Focus on Higher Education’s UniversITy blog series.