Oct 10 2019

6 Ways to Fortify Your Campus Against Phishing Attacks

Refresh your defense and your user messaging with these strategies for higher education IT leaders.

Despite persistent efforts by IT staff to instill caution in email users, phishing remains the leading cause of data breaches. Bogus emails that con or coerce users into disclosing key personal data are responsible for the vast majority of successful cyberattacks across the public and private sectors.

Higher education is in the crosshairs. Researchers at email analytics firm 250ok analyzed 3,614 domains operated by the top accredited U.S. colleges and universities by student enrollment. They found that nearly 90 percent of these institutions failed to effectively protect students and faculty from phishing.

The stakes couldn’t be higher. In 2017, a phishing scam defrauded Canada’s MacEwan University of $11.8 million. At institutions such as the University of Wisconsin-Madison, officials say they experience compromised credentials and phishing attempts on a regular basis.

Since October is National Cybersecurity Awareness Month, this is the perfect time to refresh IT department strategies and user messaging to bolster your campus defense.

Timely and Personalized Emails Lower Users’ Defenses

“Higher education is a treasure trove of sensitive data,” says John Ramsey, CISO for the National Student Clearinghouse. “Higher ed encompasses the scope of almost every sensitive data type that exists, ranging from students’ personally identifiable information to HIPPA for the medical universities to intellectual property for the institutions heavily invested in research.” 

That makes universities a high-value target for phishing scams.

At Cedarville University in Ohio, Associate Professor of IT Management Phoebe Tsai has witnessed the risk firsthand. This summer she received an email from a bogus website that appeared to be affiliated with the university bookstore. 

“The email was completely personalized and listed the three courses that I was going to teach in this semester,” she says. “It asked me to share the links with my students so they could have easy access to the textbooks for the new semester. I did not click on the links or share them only because I was too busy at that moment. If the official university bookstore had not blown the whistle, I would not have realized that the email was illegitimate. The attacker picked the time when professors were intensively thinking about syllabi, students and textbooks. They almost got me.” 

FIND OUT MORE: Which weaknesses do threat checks most often detect? Find out here.

Counteract Phishing Attempts with These 6 Strategies

Despite the challenges, a few basic steps can help higher education leaders significantly reduce the risk of a successful phishing exploit.

  1. Remove Formatting: Indiana University officials instruct students and faculty to read email in plain text rather than HTML format. This removes potentially toxic clickable images and limits an attacker’s ability to take advantage of the mail client in order to execute code. For those do read mail in HTML, the university’s IT experts recommend hovering the mouse over the links in each email message to display the actual URL. Users can also look for a digital signature that helps ensure the message actually came from the sender. 
  2. Make It Personal: “For the end user, there is no perceived consequence to getting this wrong,” says Alex Grohmann, a director on the Information Systems Security Association international board. To convince employees of the urgency of phishing prevention, IT must make it personal. “This is not just about the company or the institution being at risk,” he says. “These practices protect them as individuals. This is something that could happen to them personally. They can be compromised at home, and there’s no IT department to ride in and save you. When they understand there can be personal consequences in this, they will be more likely to use good hygiene.”
  3. Set Effective Limits: Email filtering tools can help prevent phishing; for example, by rejecting messages that contain suspicious links. But there’s a down side. “You can only ratchet up those tools to a certain level before you start to impact business operations, before you start blocking legitimate emails that maybe are time sensitive,” Grohmann says. “So you have to do an ongoing balancing act. If you are doing business with a particular vendor or partner, for instance, you can have the IT department set up a secure mailbox so those messages get through. It takes time and effort but it may be necessary in order to set effective limits that don’t interrupt your operations.”
  4. Assume the Worst: Despite all preventive measures, there’s a good chance some phishing act will succeed. With this in mind, it makes sense to organize systems around the principle of damage control, with role-based controls and network architecture all geared toward limiting an intruder’s access. “Machines should be isolated in their own networks. People should have the least amount of access needed to do their jobs,” says Shane Chagpar, a solution designer and instructor with IT consultancy Kepner-Tregoe. “The person in marketing shouldn’t be able to view and edit reports from the financial side. Or they should only be able to view certain reports. You have to be granular in how you grant access.”
  5. Make Training Realistic: Anti-phishing awareness doesn’t come from a PowerPoint deck. It comes from hands-on, realistic exercises. “You might have a Bed Bath & Beyond coupon that looks very real. Or you put things in the email that make people mad: Click here to see pictures of your spouse with someone else,” says Bruce Beam, CIO of (ISC)2, a nonprofit membership association of certified cybersecurity professionals. “On Valentine’s Day: We’re trying to deliver flowers, click here to confirm your address. If people are going to learn, the training has to be realistic. It has to be convincing.”
  6. Be a Better Organization: Phishing schemes are psychological in approach: The scammers know that people who are stressed, hurried or under pressure are more likely to respond to an urgent-sounding message. One key way to stop the clicks is to build a friendlier, less harried workplace. “Pressure and stresses lead to people clicking on emails,” says Daniel Norman, a research analyst with the Information Security Forum. “So if you can reduce the stress and reduce the pressure, if you can create a more positive work environment, that is actually going to reduce the likelihood of people clicking on phishing emails.”
skynesher/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.