Cybersecurity: Awareness Training and the 90/10 Rule

Information security is not only about physical and logical measures such as locks, firewalls or anti-virus software. These technical measures may protect universities against many network attacks, but cannot protect against soft attacks, such as social engineering. While 10 percent of security countermeasures are technical, 90 percent of security measures rely on users and other stakeholders. A strong information technology (IT) security program cannot be executed successfully without training users on security threats, policies and techniques to protect the university’s assets. Without awareness at the user level, hackers could use social engineering skills or phishing attacks to bypass security measures.

Faculty, students and staff are key stakeholders in postsecondary institutions. Faculty members have access to sensitive research data. Students enter their sensitive information on computer systems and staff process students’ personal and financial data and essential institutional data. Unfortunately, students are not trained on how to handle their sensitive data securely during its processing and storage. Many institutions train their faculty and employees only minimally on how to accept, process and store sensitive data. As a result, many universities are facing a rising storm of cyber attacks. In fact, a couple of months ago, the financial system of a prestigious university in California was hacked, disclosing thousands of student records. Several weeks ago, the medical campus of a university in Florida was also hacked, revealing the medical and personal information of thousands of patients.

Security Awareness Training is Critical for All Stakeholders

Universities must understand that students, faculty and staff are their best and most essential line of defense against cyber threats. The first task for universities is to develop a formal security awareness training policy. Universities may then develop formal security awareness training courses in accordance with the policy. The intent of the courses is to provide stakeholder knowledge to protect information systems and sensitive data from both internal and external threats. The course should be offered at least once a year. It must be brief, easy to understand and perhaps no more than an hour; easy enough that the basics become second nature.

Training items could include:

• Social engineering techniques and how to avoid them;
• Identity theft;
• Cyber sexual harassment;
• Consequences of using peer-to-peer (P2P) sharing programs without proper authorizing of the content;
• Steps on how to avoid posting sensitive information online.

Awareness training may also be used to guide stakeholders on how to use universities’ computers ethically by avoiding computer misuse. Viewing or downloading pornography or playing games on the Internet often is an avenue to infection by malicious software, where viruses and Trojans are downloaded without users’ knowledge. Stakeholders should not use unapproved software or P2P file-sharing programs on a school’s computer, as it may put the school in legal trouble. Schools can be held liable in court for copyright violations; imposed civil or criminal penalties can incur up to $250,000 in fines. Furthermore, using P2P or unauthorized software can compromise the network and spread viruses and spyware that inflict widespread damage to institutional assets.

Identity Theft is Common and Dangerous

Stolen identities of students could put their future in jeopardy and make them susceptible to immediate financial loss. This is a crime that does not make itself immediately obvious; many students do not realize their identities have been stolen until they apply for financial aid or a loan. The Federal Trade Commission estimates that the identities of more than 10 million people are stolen each year. Cyber criminals use social engineering or phishing attacks to steal Social Security numbers, which can be used to obtain credit cards and even buy houses. Institutions should encourage their students to regularly have their credit checked to ensure their identity remains uncompromised.

Conclusion

Ultimately, all colleges and universities must make cyber awareness training part of the formal university strategic plan and must require stakeholders to participate in annual training, just as major corporations do.

Students need to be trained on how to respond to social engineering and phishing attacks. To protect against social engineering, stakeholders must verify the identity of individuals before giving out information or even replying to messages. If stakeholders are suspicious of an email, they should not click on the links provided or open attachments; instead, they should contact the school security officers or IT helpdesk to report suspicious activities.

Many schools tend to forget about nontechnical measures to ensure security of their assets. Technical measures alone are not enough to ensure security of student records. Nontechnical measures, such as awareness training, are a critical measure to ensure data confidentiality, integrity and availability.

To see the other articles in the Cybersecurity series, please click here.