Security

What Happens When Students Bring Malware to Campus?

Cyberattacks on universities and individual students are increasing as the technologies that access campus networks get more complex.

Joel Keller

Joel Keller spent more than a decade in IT before becoming a full-time journalist. He has written for The New York Times, Parade and others.

Bring-your-own-device initiatives have always struck fear in the hearts of IT managers. When smartphones became dominant in the late 2000s, IT staff members were rightly concerned that users’ personal devices might introduce malware to their networks.

Today, however, BYOD covers a lot more than just phones accessing campus email systems.

“A decade ago, cybersecurity risks were primarily tied to traditional devices like desktops, open Wi-Fi networks, USB drives and older email systems,” says Nichole Muscanell, a researcher at EDUCAUSE. “Today, the landscape has shifted dramatically, with greater risks stemming from smarter, more complex technologies such as Internet of Things devices, mobile and personal devices, wearable tech and cloud-based services."

In addition, artificial intelligence advances and the looming development of quantum computing will add even more complexity to securing campus networks. Because of this, the authors of the 2024 EDUCAUSE Horizon Report: Cybersecurity and Privacy Edition note, "the speed of change is and will continue to be a challenge for higher education institutions in particular because traditionally the sector has been slow to change. Institutions will need to find ways to keep pace … without rushing processes, which can lead to mistakes and could make cybersecurity efforts less effective."

Click the banner below to learn the importance of cyber resilience.

x-cyberresillience2-static-2024-na-desktop

x-cyberresillience2-static-2024-na-mobile

With cyberattacks on the rise, targeting individuals as well as institutions, campus IT managers have to be more vigilant than ever to protect their networks, especially given the physical and financial difficulties that shutdowns due to ransomware and other attacks can cause. But trying to secure against all the ways people access campus networks feels like a high-tech game of Whac-A-Mole. So, what can IT managers do to prevent cyberattacks?

A Combination of Tools Offers the Best Defense Against Cyberthreats

The first thing that IT managers need to consider is that it's impossible to manage what EDUCAUSE calls "the perimeter" — the devices and cloud services that may have access to an institution’s networks — and that they should work to protect their data instead. The organization recommends a balance of data security measures with traditional security models that focus on devices accessing the network. Among the data security practices they recommend: inventory systems, adopt zero-trust practices, use data loss prevention tools and manage user identities.

IT managers can also separate critical networks from the general campus network, either internally or via third-party cloud services. Jenay Robert, a senior researcher at EDUCAUSE, cites the example of San Diego State University, which used Amazon Web Services to create a secure enclave platform for research projects.

"This platform ensures secure environments for handling regulated data, meeting IT security compliance, and maintaining NIST 800-171 controls and strict enclave separation," writes Robert. "It provides managed services for data ingress/egress, logging, and deployments; supports standardized system images; and allows automated tool deployments and future service additions to meet evolving researcher needs."

Why Educating End Users Can Keep Them Safe

Of course, user education is still one of the primary ways to make sure networks stay safe. The more users are aware of threats and how they are introduced to campus networks, the more vigilant they can be.

However, deciding how much trust and transparency to include as part of a cybersecurity and privacy policy is a balancing act. Giving end users more agency over their technology use can be educational but requires more work on the IT side, which can be hard on IT teams that are already stretched thin. Too much transparency can also make an institution more vulnerable to cyberattacks.

To fight the fatigue, Robert cites a program at California State University, Monterey Bay. The university set up a cybersecurity awareness program that included a game to teach students about best practices, hosted in-person panel discussions on the topic, and held a graphic design contest, all under the banner "Cybersecurity Spring 2024."

UP NEXT: Automating security tasks can ease the burden on university IT departments.

EDUCAUSE recommends keeping users in the loop on cybersecurity. For instance, having an advisory group consisting of a cross-section of users will help IT managers better understand user needs when creating and changing data security policies. Regular communication is also critical, as is the giving users the ability to track who has access to their personal data and how it’s used.

But, the organization warns, IT managers will never please everyone with their security strategy, so expectations must be set for how they will address user input even when they cannot incorporate it.

There is a place for artificial intelligence in establishing these policies, even as it as seen as an increasing threat. "AI tools can make training more accessible by accommodating different learning [needs], formats, and languages," notes the EDUCAUSE report. It recommends that IT departments maintain personal engagement with users and offer traditional high-touch training for those who would rather have in-person education on the topic.

Because of all these factors, EDUCAUSE's Muscanell finds these crossroads fascinating in dealing with cybersecurity.

"These factors, in addition to others, will intersect to redefine which devices and systems are most vulnerable, shaping the future of cybersecurity and privacy protection," she says.

Beth Goody/Theispot