How to Strengthen Higher Education’s Weakest Cybersecurity Link
COVID-19 has disrupted every higher education institution around the globe and IT departments are implementing infrastructure and procedures that enable staff and students to work and learn remotely and safely. While the world focuses on the humanitarian crisis, cybercriminals are capitalizing and thriving amid the chaos. Given the new complexities associated with so many people remotely connecting to sensitive networks, cybercriminals are devising new ways to take advantage of users, infiltrate networks, and steal data.
Institutions have vast amounts of sensitive data, including student health and financial data, staff payroll and 401K information, and critical research and organizational data. While universities must provide access to lab data and resources for students and faculty to continue research at home, it’s challenging to ensure that this information, previously protected by physical buildings and on-premise security solutions, doesn’t fall into dangerous hands.
The overnight shift to fully remote work and online learning during the COVID-19 crisis has amplified the urgency and the obstacles around cybersecurity. With risks escalating, the industry has reached a critical juncture; it’s time to develop a systematic approach to security.
Six Elements of a Cybersecurity Plan
A comprehensive and layered security plan is essential in today’s new working environment. A robust cybersecurity plan should include the following elements.
1. Application security tools to protect websites and web-based applications from different types of threats that exploit vulnerabilities in source code.
2. Information security tools to prevent unauthorized access, use, disclosure, disruption, modification, or destruction of information.
3. Network security tools to prevent unauthorized access to sensitive computer networks.
4. Disaster recovery strategies comprised of business continuity plans that describe how work and learning can be resumed quickly after a cyberattack or disaster.
5. Operational security and risk management processes that identify the institution’s critical information and vulnerabilities as well as a plan to restore operations.
6. End-user training programs to ensure that individuals across the institution—including students and staff—are aware of security policies, procedures, and protocols.
IT organizations can develop the first five elements as part of a comprehensive plan. In many cases, however, the weakest link in a security plan is the user.
Provide Security Guidelines to Staff and Students
Students and staff are often prime targets for a cyberattack. Phishing and social hacking are common techniques used on students and employees to gain access to an institution’s data. Colleges and universities can build an effective threat prevention strategy by offering training and education programs to ensure students and staff can identify and prevent threats.
Here are some examples of real-life guidance from university websites.
University of Washington
• Stay updated. Keep systems and software up to date by enabling automatic updates for your operating system and applications.
• Sometimes it’s better to forget. When accessing university data, don’t use the “remember my password” feature.
University of Wisconsin
• Keep work data on work computers. Using a personally owned device to do university business puts both you and the campus at risk.
• Install anti-malware software (anti-spyware, anti-virus) and enable a firewall on your device(s).
Penn State
• Watch for phishing attempts…Be especially wary of emails that attempt to get you to share your password as a requirement for working remotely. Attackers will often try to exploit an existing relationship by posing as a person you know or trust (such as a colleague or supervisor) and by creating a sense of urgency.
University of Texas
• Do not store…credentials, credit card numbers, bank account numbers, or other sensitive data in your web browser.
• Avoid using a public Wi-Fi network unless absolutely necessary. Consider using your mobile phone as a hot spot instead of using a public Wi-Fi network. If you must use public Wi-Fi, it’s best to use a secure, password-protected wireless network.
Marquette University
• Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email.
University of California – Santa Cruz
• A good rule of thumb is to only post information you would be willing to put on a banner in a public place. Assume that any information you enter online is public unless you are using a known, trusted, secure site.
Cybercriminals have more opportunities to capture or exploit information in today’s chaos. As online learning and remote working continue through the foreseeable future, higher education institutions must do their best to review and update cybersecurity plans, including training end users on best practices and what they can do to keep information safe.