Just a few short years ago, cyber security was a barely-recognized threat. It felt intangible, unlikely, a concern for the future perpetrated by bored yet technically gifted teenagers.
Fast-forward to today and cyber security is the most pressing IT issue for many organizations – including universities and higher education institutions.
The motivations behind cyber-attacks can range from political to personal, or just plain mischievous. But the risks are far more clear and profound – compromised data, stolen research and reputational damage.
The nearly 1,200 UK breaches in 2016-17 were double the number of attacks in the sector the previous year.
Addressing cyber defense is imperative for higher education, yet needn’t be complicated or expensive. These ten cyber security tips focus on communications and culture – not big funding or technical systems. It’s time to say goodbye to the cyber spies.
1. Make communication a priority
In today’s bustling workplaces it’s often difficult to get messages through to teaching staff. These people are busy, their inboxes bulge with emails, students place demands on their attention.
In this environment, it’s important to have reliable, authoritative IT comms that staff take notice of. A cyber-attack which causes a network outage impacts your ability to teach. Advising staff such that alternative measures can be put in place is essential to minimize disruption.
Tip: Introduce a communication channel exclusive for high-priority messages. Desktop alerts which pop-up on staff computer screens and bypass email are very effective.
2. Reach everyone, everywhere
Colleges and universities are dispersed environments. Teaching and administrative staff are located in multiple different faculties and campuses. Contractors are increasingly employed for shorter-term projects. Remote teams connect with central offices through mobile devices.
Raising cyber security awareness, advising on best practice or informing of policy updates, requires aligning all staff – wherever they are, and whatever device they’re using. Neglecting anyone leaves the door open for potential breaches.
Tip: Ensure your communications don’t exclude anyone. Increase readership through targeting messages for greater relevance. Schedule messages to send at times where staff are most likely to see them.
3. Train and reinforce
The cyber security landscape is continually evolving – apps, the Internet of Things, social networks and more sophisticated threats all add complexity. When staff are your first line of defense, training is the armor they need.
What processes exist for handling sensitive information? What are strong passwords? How should suspicious activity be reported?
Increasing cyber security awareness and process knowledge, through staff training programs, is the surest way to effect sustained behavioral change. Regular sessions will embed learnings such that they become second nature, as well as ensure any new staff are included.
Tip: Maximize attendance by actively promoting your training sessions. Make your sessions available to remote staff or those who couldn’t attend via video alerts.
4. Share learnings
There are a wealth of helpful tips available for better cyber security practice. Staff may have become aware of them in roles at other companies, or through their own web research. Listing every such tip would create an article dozens of pages long!
But there is value in sharing best practices – things like how to identify what phishing emails look like (plus examples), or why to check the URL of a web link before clicking on it. Not only does this increase the volume of your in-house knowledge, it also helps foster positive learning behavior.
Tip: Establish a collaborative online forum which allows staff to submit cyber security tips (with your IS Manager as moderator). Apply tagging to each such that they may easily be categorized by type (for example, email, procedure, social media etc.) and will appear in related user searches.
5. Define escalation process
Cyber security risk is increasing. Networks at some of the top institutions, such as Oxford University, have been compromised.
Despite every best effort, sometimes the worst happens. The readiness of your response determines how well you’ll emerge when the dust has settled. Ensure that crisis management procedures are documented, and involve representatives from every departments (that is, IT, Information Security, Human Resource, Communications etc.).
Tip: Practice your plan with dummy scenarios regularly (after all, you do this for physical exercises like fire drills). Make these as realistic as possible, and ensure all key personnel are involved.
6. Build an online database
In protecting your organization from the risk of cyber-attack, you’ll amass a wealth of information – compliance policies, known cyber threats, good password tips, web browsing guidelines, FAQs and key contacts.
Making these available in a single repository not only allows staff to easily access them, it also makes maintenance simpler for you. This area is continually added to over time and becomes the single source of truth for all things cyber security.
Tip: Work with your IT team to create a dedicated section on your intranet. Advise staff each time updates are made. Bring cyber security to life by including staff quizzes to test knowledge.
7. Engage students
Students introduce a significant element of risk to cyber security. They’re significant users of communal computers, such as those available for use in your library. They’re also likely to be more relaxed about risk – either because they underestimate the danger or are simply more laissez-faire in their attitudes.
Any tactical plan around cyber security must include the ability to target students – in any faculty, on any campus.
Tip: Digital signage in common areas like libraries are highly-visible tools to promote best behavior practices to wide audiences.
8. Foster a cyber-safe culture
Fostering a security culture helps your efforts by sharing the responsibility and making everyone part of the solution. This ensures all staff are focused on the risk – particularly important today.
Cyber-attacks on educational institutions are growing. In the first half of 2017, there was a 103% increase in breaches in the education sector – one of the largest jumps among any industries. A culture of awareness is a culture of preparedness.
Tip: Reinforce best practice and promote cyber security tips through passive channels, such as corporate screensavers. Introduce storytelling to your communications via real-world examples.
9. Simulate attacks
So, you’ve trained staff on how to act, provided them with the tools to do so, perhaps even tested their knowledge? But how confident are you that they will act in the best way when an attack occurs?
The best way of gauging this is to simulate an incident: A phishing email is distributed to all staff. The IS team monitor all interactions with it, including how many times dangerous links or attachments are clicked on. Reporting on this, and the specific staff who committed this cyber no-no, helps identify additional training needs before a real event occurs.
Tip: Use progressive email testing in your simulations, where content is increasingly difficult to identify as malicious, to help define your potential risk level.
10. Repurpose useful content
When it comes to prevention of cyber security risk, don’t reinvent the wheel. A lot of material has been written on the subject already, some of which may be available through your partner network.
To assist your ongoing employee education, repurpose content, for example, from your virus-protection vendor, and tailor it for your audience. Physical material can also be made available in student common areas, such as libraries.
Tip: Get a list of vendors from your IT department and evaluate which has valuable content that you can make use of.
As institutes of higher learning, with sensitive data on thousands of students on file, colleges and universities are expected to exhibit the highest level of cyber security. This becomes increasingly challenging as hackers see the industry as an attractive target.
Fortunately, there is much that higher education institutions can do to mitigate against the risk. In this case, a little knowledge is definitely not a dangerous thing.
Originally published in Campus Review magazine