The sheer amount of data that colleges, universities, and other post-secondary schools deal with on a daily basis is practically unfathomable. As such, higher education is embracing modern networking technology because of the many advantages it offers both students and institutions. CRM software allows schools to collect marketing information and maintain accurate records, while cloud-based learning platforms and mobile apps give students the ability to work and study remotely. However, the sensitive nature of the information being shared across these networks means that schools need to invest seriously in cybersecurity to keep it safe — and unfortunately, that isn’t always the case.
Why Don’t Schools Pay Attention to Cybersecurity?
Unfortunately, schools face a litany of challenges when it comes to tightening up their cybersecurity practices. The very nature of networks themselves is constantly evolving, which requires organizations of all kinds to adapt along with it. However, many educational institutions are also severely underfunded and understaffed. As a result, they lack the resources and expertise to implement proper cybersecurity strategies — making them easy targets for hackers.
Even so, schools that care about the well-being of their staff and students must embrace current and comprehensive cybersecurity measures. Below, we’ll look at several of the biggest problems facing higher education networks and describe some of the most effective ways in which institutions can overcome them.
Common Cybersecurity Risks for Colleges and Universities
The reason it’s so important for colleges and universities to keep upgrading their cybersecurity is that new threats continue to appear as technology changes and hackers adopt fresh tactics. Many current network breaches at educational organizations occur because of the following:
- The variety and quantity of stored data. The data schools collect from students usually isn’t limited to academic information such as ID numbers and class schedules. It can also include health records, SSNs, and even financial information.
Outside parties with malicious intentions can use this data to steal a student’s identity, or to create a false identity with their information and sell it online. Many students who have been targeted in this way do not even realize until years later, when they apply for their first major loan or line of credit and discover that their credit has been ruined by someone else posing as them. At that point, it can take years of costly legal battles to restore their credit and reclaim their identity.
Parents who want to reduce these risks can try freezing their children’s credit until such time as it needs to be used, which prevents even a successful hacker from driving them into debt. However, it is imperative that institutions also take responsibility to safeguard students and protect any information they collect on their behalf.
- Fluid network boundaries. Schools used to store the information they collected locally, which meant that their security measures were normally “perimeter-based”. Basically, if you wanted to access information, you had to be able to access the server it was stored on first, which usually meant logging into a device that was physically connected to the network. If that device was adequately protected, the network was secure. Today, it’s not so simple.
Current network technology has rendered the perimeter-based approach obsolete, because students can access sensitive information from their own devices. It doesn’t matter how secure the school servers are when the device a student is using to access them can be easily compromised.
- Social engineering. Identity theft isn’t the only cybersecurity threat post-secondary students face, either. The large number of students who use social media apps constitute an obvious and relatively easy target for groups or individuals attempting to influence the psychology of certain demographics.
Some examples of social engineering are widely known, such as the infamous Cambridge Analytica scandal that collected Facebook user data under misleading pretenses, then used it to target and influence millions of American voters in the 2016 election. However, statistics indicate a rising trend in social engineering aimed specifically at university students, specifically when it comes to phishing scams. These scams are a particular type of social engineering tactic that attempts to trick the victim into volunteering their personal information instead of stealing it via traditional hacking methods.
Phishers generally disguise themselves by asking for this information as part of a “verification process” — either for an app (as in the case of Cambridge Analytica, who collected data under the guise of using it for a Facebook personality quiz), or by posing as an authority figure such as a bank. When phishing scams target university students, the goal is often not financial — instead, the attacks may be aimed at stealing valuable research.
Cybersecurity Fixes for Post-Secondary Schools
Fortunately there are many strategies that institutions can use to ramp up cybersecurity for their staff and students. Better yet, most of these approaches can be implemented quickly and cost-effectively once they have been identified and made into policies such as:
- Educating staff and students about social media best practices. Many universities and colleges have social media guidelines for staff members who can access official school accounts, but information about safe social media use should be available to all staff and students. Try holding free seminars or creating online training modules that must be completed before the first day of classes each semester.
- Supplementing perimeter-based security strategies with endpoint protection solutions. Endpoint protection is an approach to cybersecurity that aims to identify and eliminate vulnerabilities in devices that try to access a given network, rather than the network infrastructure itself. Whenever a student or staff member wants to view school information on their device, endpoint protection software checks the device for security risks, and only grants conditional acceptance if no red flags are detected. This also motivates users to learn cybersecurity best practices and keep their devices updated, which reduces risk across campus.
- Outsourcing cybersecurity functions to an MSSP. As mentioned above, many schools struggle with funding and cannot afford to hire new full-time IT personnel. Fortunately, Managed Security Service Providers (or MSSPs) offer third-party monitoring and management of cybersecurity systems. MSSPs have the resources to consistently upgrade network security for their clients, and can usually respond to any breaches that do occur much faster than in-house teams (which take over 6 months on average for most businesses).
Cybersecurity Mistakes to Avoid
Some institutions have adopted counterproductive policies when it comes to cybersecurity. Here are some strategies can backfire easily:
- Asking staff and students to download cybersecurity apps on their personal devices. Most people have fairly personal relationships with their devices, and won’t appreciate being made to download software by their place of work or school. Forcing them can create feelings of resentment and suspicion, which might prevent them from using the app and even motivate them to delete it as soon as it has been installed.
- Requiring that every device on campus be registered in a database. Some universities are leaning towards this policy, but students won’t like their personal property being catalogued by their school. Additionally, it should go without saying that a database containing information about every device on campus just represents one more treasure trove of exploitable information for anyone who can hack into it.
Choosing Reasonable Cybersecurity Strategies
Since the way people access important data continues to change across post-secondary campuses, institutions need to grow alongside the technology they use. Firstly and foremostly, schools need to recognize that traditional perimeter-based approaches to network security offer insufficient protection for a network that can constantly be accessed by thousands of different mobile devices at any time and place.
In addition to embracing endpoint-oriented protection systems, institutions must also stay updated on current forms of social engineering, including phishing scams. Finally, once they know what kinds of threats their staff and students face, it’s imperative that these organizations pass the information along to anyone who might be the target of a cybersecurity attack. Since that will require more work than most in-house IT departments can handle, this may mean outsourcing the maintenance and management of network security systems to third-party professionals with the time and tools to handle those tasks competently.
Colleges, universities, and other post-secondary programs are hives of vital information that makes our world stronger and better. It’s critical that they keep this information safe by being proactive when it comes to handling cybersecurity for their networks.