Higher education security professionals must focus on more than simply securing systems. They are constantly responding to incidents that result from the insecure cyberhabits of faculty, staff and students, so they are always on the lookout for ways to improve security habits throughout the institution.
For most of us, work is an activity we perform not only in the office or the classroom, but also in our homes, the coffee shop or even the park. We work on desktops, laptops and mobile devices. We transmit institutional data across personal, public and institutional networks.
Traditionally, security professionals have limited their sphere of concern to the institution, but the walls between work and home are now nonexistent. The security of the institution depends on the security habits of staff, wherever they happen to be.
Engage and Educate on Security Basics
The Pew Research Center reports that the public does not know how to secure their online selves, nor do they understand basic steps they can take to be more secure. Often, they have not been educated about the risks of online activity. Worse, people who have some exposure to security activities may hit “cyberfatigue”: Exhausted by the potential for risk online, they either do nothing or adopt insecure behavior.
These factors present an opportunity for security professionals. Recommending easy ways for the campus community to be secure at home can lead to more secure behavior at work.
The goal of focusing on the home is to help users invest in security for the areas they care about: their family, possessions and privacy. As people think about these areas, they will start to recognize equivalent situations on campus and respond in a more secure way.
Focus on Simple Cyberhygeine
- Backups: Start with the question, “What is important?” Then ask, “Is it being backed up? Are those backups working?” These questions are equally applicable to work or home — and equally crucial. Giving users examples of ways to back up current versions of Microsoft and Apple products will be helpful to those who don’t know where to find accurate information.
- Password management: Password managers help staff generate and manage strong passwords. However, an institution may not have invested in the tool, and it’s only effective if it fits in with an employee’s online habits. Regardless of whether the institution provides a password manager, encourage people to learn how to effectively use this important protection tool.
- Multifactor authentication: Higher education institutions are starting to embrace MFA, as they should. Most popular email providers, cloud providers and financial institutions are already using various forms of multifactor authentication, and information security staff needs to remind employees of the benefits of these tools.
- Virtual private networks: Staff sometimes use VPNs at work, but do they also use them at home or when they travel? They should. Educating the university community about the benefits of using a VPN, and then encouraging them to do so, is a great hygiene activity that will pay off as they access university systems from places like the airport.
- Network management: There are many benefits to hardening home networks, yet few do it. One of the biggest risks to institutional data are the people who live with employees, because they share the same network as the employee who accesses institutional data from home. Teaching employees how to harden and segment (if necessary) their home networks promotes good security hygiene, and it helps to protect institutional information from malware, ransomware and other nasty stuff. The National Cyber Security Alliance offers easy-to-understand tips.
3 Ways to Improve Higher Ed Security
IT professionals know that to improve security, we have three options:
- Make security invisible in systems and applications.
- Where a user has a choice to make, make the secure choice the preferred choice.
- Train people to recognize and acknowledge the risks they are taking.
Technology is not yet at the point where the first option is always available, so we have to work on options two and three. By focusing on users’ home environments, we speak directly to the things they care most about. In the process, we raise awareness of how secure they are at work. By recognizing that cybersecurity affects all aspects of our lives, we can collectively improve our security profiles and benefit everyone.