How to minimize the top three cyber risks for post-secondary institutions
Few organizations are more vulnerable to cyber attacks than our post-secondary institutions. Universities and colleges face the seemingly impossible job of keeping their doors open and locked at the same time.
To fulfill their mandate while ensuring that knowledge is freely available, institutions must give large populations of students unfettered access to systems, networks and the internet. But low barriers to entry can also put security at risk.
While the security risks are real, most post-secondary institutions focus their resources on research and helping students with the skills and education they need to enter the job market after graduation. Indeed, almost all institutions of higher learning are using limited resources and budgets to maintain a sophisticated defence against hackers and cyber criminals. There are a few key things that institutions can do to protect themselves in these challenges. Here are my top three cyber risks for higher education, followed by suggestions to mitigate them.
1) The students
We cyber security professionals often speak of the three pillars of security: people, process and technology. Each is only as strong as the weakest of the three. Most often, that’s people.
Students cause a significant number, if not a majority, of breaches in school security. First, they can be problematic because they’re young and highly tech savvy. Their priority is access, and to that end they can be adept at circumventing security filters and protocols.
I recently made a presentation to a group of students. I was astonished at the level of sophistication in their questions. They asked me, for example, about Tor browser -- which powers the dark web and allows users to move through the internet anonymously.
Oh, did I not mention it? These students were in Grades 7 and 8.
Second, a majority of students don’t care about data privacy. They often do not think about security. When access is the priority it can generally lead to a cavalier attitude toward sharing passwords, logging into the school system on public networks, and other unsafe activities.
2) Value of student information
Universities and colleges must safeguard large quantities of personal data from students. They use it for a variety of reasons. Many schools analyze the data to learn how they can better attract and retain students.
Students are data-rich targets for cyber attackers: names, social insurance numbers, health records, email addresses, academic records, financial information, and other information can present a treasure trove to hackers. Their passwords are especially sought after, which can be used to gain access to the school’s network, systems and intellectual property.
3) The boundless perimeter
Educational institutions don’t have perimeters anymore. Data is their perimeter. Users log onto the school network from anywhere -- whether that’s from the campus library or a cabana in Mexico.
With many students signing into the college or university system on a public network (e.g., at a café), there are real vulnerabilities. For example Pineapple routers can make it appear that the user is signing into the café’s wifi when they’re not. Then, as they log into their school network, their log-in credentials can be stolen.
Reduce your vulnerability: People, processes and awareness
Faced with these challenges, what can schools do? A recent study by the Ponemon Institute measured the top 20 factors mitigating the cost of a data breach. Among the top five, only one related to technology (use of encryption). The other four concerned training, planning and policies.
Student culture and behaviours, the value of information available, and the boundless perimeter indicate that schools have a very real need to focus on educating their users. A top priority should be investment in students, faculty and employee awareness. Security won’t stop users from emailing sensitive information, clicking on a bad link or transferring a payment to an apparent “vendor.” The school’s cyber resilience must involve training and education, planning and procedures, and a cybersecurity culture, backed by appropriate security and IT support.
Those outside of the IT department will be first to see or experience a security incident. That’s why many colleges and universities now run cyber awareness campaigns. These initiatives won’t change every user’s behaviour but they do help lessen your vulnerability. User reports of phishing emails, for example, are an excellent way to curb malicious messages.
Cyberattacks are successfully targeting end users with more sophisticated social engineering via mobile apps, online banking and social media platforms. Schools can give students, faculty and employees the skills and knowledge to better understand these vulnerabilities, recognize an incident and serve as first responders.
No cyber-security program is complete without excellent technology. But by focusing on their people, educational institutions’ IT departments can go much further in fortifying their defences.
Kevin de Snayer is Senior Cyber Solutions Advisor with Calian Group’s cyber security practice. Learn more and download our e-books and whitepapers here.