Jun 11 2020
Security

When Crisis Strikes, So Do Cyber Criminals

Opportunistic criminals thrive amid chaos. Here are tips for universities and colleges on how to stay safe from cyberthreats during times of crisis.
Amelia Pang
by

Amelia Pang is a journalist and an editor at EdTech: Focus on Higher Education. Her work has appeared in the New Republic, Mother Jones, and The New York Times Sunday Review, among other publications.

For cybercriminals, there’s often no better time to target victims than when the rest of the world seems to be falling apart. So, it came as little surprise that shortly after COVID-19 shut down campuses and businesses around the world, there was a spike in ransomware and phishing incidents. 

The numbers tell the story: According to Palo Alto Networks, a leading cybersecurity provider, nearly 1,800 suspicious domains with coronavirus-related names are registered every day on average. And according to email security firm Mimecast, the number of COVID-19 spam messages sent spiked by 26 percent during the first 100 days of the outbreak. 

“We normally talk about phishing as a kind of cyberattack because it takes place on computers,” says Nick Falcone, CISO for the University of Pennsylvania. “But most of the time, the vulnerability exploited is in the human recipient of the email.”

MORE ON EDTECH: Learn how to improve remote learning with virtual desktop infrastructure.

“COVID-19 has made us all more vulnerable to the kind of tricks and misdirection used by phishing attacks,” he says. “We are, generally speaking, all more tired and distressed. We are working with technology in new and unfamiliar ways. And we are interacting with trusted parties like our employers in unusual ways. All of these things make it harder to spot phishing emails.”

Unfortunately, many remote workers continue falling for these scams. Mimecast has seen a 56 percent increase in the number of URLs being blocked in response to users working from home clicking on unsavory links. Here are some tips for how universities and colleges can keep their people and their networks safe from phishing attacks.

Remote Learning Insider Higher Ed Insider

How to Go Beyond Basic Cybersecurity

Even as the cyber landscape continues to evolve, many best practices remain the same. “Patch all of your software, use two-factor authentication on every account that accepts it,” Falcone says, “and don’t click links or attachments that you weren’t expecting — all are still standard advice.”

Still, Falcone adds, the standard advice only works to a certain point. 

“Learning safer ways to click can help mitigate those risks,” he said. “For example, opening attachments or websites using an iPhone, iPad or Chromebook can help keep exploits from attacking your computer, as there are fewer ways for a website or attachment to take over those specific devices.”

Another solution is to hold security awareness training with faculty and staff. According to Mimecast, employees who haven’t had a recent security awareness training are 5.2 times more likely to click on malicious links.

MORE ON EDTECH: Learn how higher ed IT leaders can drive digital workplace adoption.

Get the Tools That Help Prevent Phishing

Multifactor authentication and the use of strong and frequently changed passwords have always been important. But these two routine practices are even more crucial today. 

In May, the FBI and the Cybersecurity and Infrastructure Security Agency issued a warning that COVID-19 research organizations — including colleges and universities —are major targets for foreign espionage hackers

“Using a security key such as a YubiKey as your second factor instead of a texted, one-time password can help a great deal with stopping sophisticated phishing attacks,” Falcone says. “The key verifies that you are talking to the real web page before logging you in.” 

Since some phishing emails contain software that record a user’s online activities, increasing VPN capacity is another way to protect remote users from cyberthreats. However, because VPNs are not designed to handle the network connections of large remote workforces, it’s helpful to find a solution that increases VPN bandwidth. 

Above all, it’s essential to consistently update all VPN software programs with the most current security patches. While it’s impossible to completely secure a network, taking these cautionary steps can significantly reduce security risks for higher ed institutions.

One University’s Best Practices for Remote Security Awareness

Here are some security awareness tips that the University of Washington offers for its remote faculty, staff and students: 

  • Keep your systems and data in the family. When working with university information, use university devices and systems whenever possible. Don’t store university information on nonuniversity devices. 
  • Download and save wisely. Delete sensitive university information that’s accidentally downloaded onto personal devices. Delete locally saved files from public or shared computers.
  • Stay updated. Keep systems and software up to date by enabling automatic updates for your operating system and applications.
  • Sometimes it’s better to forget. When accessing university data, don’t use the “remember my password” feature.
  • Scan for danger. Use anti-virus software to scan portable storage devices like thumb drives or external hard drives containing university information.
  • Encrypt it. Encrypt university information stored on portable devices, such as laptops.
  • Collaborate securely. Use collaboration tools that are appropriate for information sensitivity. For example, Microsoft Teams, a communication and collaboration platform that includes file storage, direct messaging and group chat, complies with both HIPAA and the Family Educational Rights and Privacy Act.
SvetaZi/ iStock / Getty Images Plus

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now