Universities understand that cybersecurity is a critical issue – they are prime targets due to the wealth of valuable data they hold – which can attract attacks from external nation-state actors1 and even insiders2. These threats have not gone unnoticed, as cybersecurity budgets in higher education have been increasing significantly in response to the greater threat levels, and plenty of emphasis has been placed on securing networks and devices across campuses.
But today’s cyberattacks are changing: they are increasingly targeting people, not just technology. The easiest route in for attackers is to exploit the vulnerability of humans – not only university staff, but also the student body, who can be particularly susceptible to the increasingly sophisticated forms of social engineering utilised by today’s cybercriminals.
Protect your people
Malicious individuals and groups utilise tactics such as increasingly realistic phishing emails, fraudulent applications and spoofing the identity of senior figures within the university to lead even the most vigilant individual to click on a risky link or download something they shouldn’t. Adding defences such as firewalls or antivirus software goes some way to protecting individuals, but the most effective cybersecurity strategies also take into account the need to build the resilience of the individual through training and awareness programmes – without this level of awareness, someone somewhere, staff or student, will always click!
Training and awareness programmes are traditionally put in place to educate the employees of an organisation to be vigilant and act as the last line of defence against attacks targeting the company itself. Simulated phishing attacks and engaging ‘gamified’ programmes help employees to think twice before becoming the latest victim.
Universities, unlike businesses, however, have to deal with huge changes within those vulnerable to attack due to the rotation of students. A study from Jisc, a UK higher education not-for-profit organisation, reveals that although universities have begun to implement training and awareness programmes for staff, there is a lack of emphasis placed on extending such programmes to students. With various forms of email correspondence coming from the university, student loans companies and accommodation providers, it can be easy for students to fall for a well-timed and well-spoofed malicious email.
When looking at the threats affecting students themselves, you could say the responsibility for awareness lies with the individual – but universities need to look at the reality of how closely students are interacting with the networks and digital services on campus. Students use an array of laptops and other mobile devices, which are outside the security perimeter the university has created. They can log in to centralised systems in the university and have access to critical data as part of their studies. One mistake – a click on a malicious link at the wrong time – could cause havoc. With this in mind, it is a valuable investment to extend out a structured, effective programme to the student body.
Multi-pronged approach to combating phishing
Some HE institutions in the US have already taken steps to introduce training and awareness for students in addition to staff. Carnegie Mellon University (CMU) in Pittsburgh, for example, which counts a faculty of nearly 1,400 and a student body of 14,000, found through their own research that 18–25-year-olds are particularly likely to fall for phishing attacks. Combining this with the fact that the attacks they were seeing were more sophisticated, and increasingly bypassing anti-virus filters, the university felt it a necessity to raise awareness among the entire user community.
CMU introduced a programme with sophisticated phishing simulations at its heart, enabling IT administrators to assess users’ susceptibility to email-based social engineering scams. When users fall for a simulated attack, the system doesn’t just record their error; it also pops up real-time ‘Teachable Moments’ that tell users how to avoid falling for similar attacks in the future.
When the programme proved effective for staff, the university rolled-out two customised campaigns targeting students, the population that presents the largest attack surface. Campaigns included additional game-based training modules, teaching users to recognise fraudulent web links by simulating the particularly damaging attacks which take place through social networks. As a result, the simple tips provided to users following a simulated phishing attack reduced the number of those participants falling for subsequent phishing emails by 50%. CMU now includes the game-based training in its core curriculum, with all first-year students required to complete the course as part of its online learning environment.
In the face of increasingly sophisticated threats targeting people, not technology, educational institutions need to reassess their approach to cybersecurity. Campuses are places of connections and a sharing of ideas. Technology needs to facilitate this rather than putting students into a security straightjacket, but focusing security strategy in the wrong place can leave universities with their backs turned to the true threat. Developing the resilience of students against cyberthreats is an investment in the security of the whole university, and one that must not be overlooked.
Adenike Cosgrove is a cybersecurity strategist at Proofpoint