Cybersecurity: Awareness Training and the 90/10 RuleSam Musa | Cyber Security Adjunct Professor, University of Maryland University College
Faculty, students and staff are key stakeholders in postsecondary institutions. Faculty members have access to sensitive research data. Students enter their sensitive information on computer systems and staff process students’ personal and financial data and essential institutional data. Unfortunately, students are not trained on how to handle their sensitive data securely during its processing and storage. Many institutions train their faculty and employees only minimally on how to accept, process and store sensitive data. As a result, many universities are facing a rising storm of cyber attacks. In fact, a couple of months ago, the financial system of a prestigious university in California was hacked, disclosing thousands of student records. Several weeks ago, the medical campus of a university in Florida was also hacked, revealing the medical and personal information of thousands of patients.
Security Awareness Training is Critical for All Stakeholders
Universities must understand that students, faculty and staff are their best and most essential line of defense against cyber threats. The first task for universities is to develop a formal security awareness training policy. Universities may then develop formal security awareness training courses in accordance with the policy. The intent of the courses is to provide stakeholder knowledge to protect information systems and sensitive data from both internal and external threats. The course should be offered at least once a year. It must be brief, easy to understand and perhaps no more than an hour; easy enough that the basics become second nature.
Training items could include:
- Social engineering techniques and how to avoid them;
- Identity theft;
- Cyber sexual harassment;
- Consequences of using peer-to-peer (P2P) sharing programs without proper authorizing of the content;
- Steps on how to avoid posting sensitive information online.
Awareness training may also be used to guide stakeholders on how to use universities’ computers ethically by avoiding computer misuse. Viewing or downloading pornography or playing games on the Internet often is an avenue to infection by malicious software, where viruses and Trojans are downloaded without users’ knowledge. Stakeholders should not use unapproved software or P2P file-sharing programs on a school’s computer, as it may put the school in legal trouble. Schools can be held liable in court for copyright violations; imposed civil or criminal penalties can incur up to $250,000 in fines. Furthermore, using P2P or unauthorized software can compromise the network and spread viruses and spyware that inflict widespread damage to institutional assets.
Identity Theft is Common and Dangerous
Stolen identities of students could put their future in jeopardy and make them susceptible to immediate financial loss. This is a crime that does not make itself immediately obvious; many students do not realize their identities have been stolen until they apply for financial aid or a loan. The Federal Trade Commission estimates that the identities of more than 10 million people are stolen each year. Cyber criminals use social engineering or phishing attacks to steal Social Security numbers, which can be used to obtain credit cards and even buy houses. Institutions should encourage their students to regularly have their credit checked to ensure their identity remains uncompromised.
Ultimately, all colleges and universities must make cyber awareness training part of the formal university strategic plan and must require stakeholders to participate in annual training, just as major corporations do.
Students need to be trained on how to respond to social engineering and phishing attacks. To protect against social engineering, stakeholders must verify the identity of individuals before giving out information or even replying to messages. If stakeholders are suspicious of an email, they should not click on the links provided or open attachments; instead, they should contact the school security officers or IT helpdesk to report suspicious activities.
Many schools tend to forget about nontechnical measures to ensure security of their assets. Technical measures alone are not enough to ensure security of student records. Nontechnical measures, such as awareness training, are a critical measure to ensure data confidentiality, integrity and availability.
To see the other articles in the Cybersecurity series, please click here.
Author Perspective: Educator
I agree with the point Musa makes here. Many institutions have a safe use policy on their shared computer systems. But I think the underlying issue is that many students and staff who do expose the network to cyber attacks do so unintentionally. In other words, they’re not trying to view porn on a shared computer, but they may unknowingly download a virus by opening an email.
I know some institutions have started doing email blasts to warn students and staff of cyber crime (e.g. email scam) in the same way they send out security alerts of physical crimes. That is one way of raising awareness among the campus community of the need for better cybersecurity. Some institutions offer training, but it tends to be optional and geared toward staff, who make up the minority of users on campus when compared to students. If anyone has experience with bringing training to the student body, would love to see your thoughts here.
Awareness is the best form of prevention. At my institution, we tried blocking access to a number of sites on our shared computers. However, there were times where we couldn’t get access to legitimate sites because they simply weren’t recognized. What we found worked better was giving training, as you suggest, to users (in this case, staff exclusively) so they could do that type of site filtering themselves.
Universities are an attractive target which makes cybersecurity awareness training essential. Faculty, students, and staff must be taught how to properly protect their data. Virtually all good security penetration tests identify the human factor as one of any organization’s greatest risk. While you can build a wall of technical protections around systems and data, it is ultimately the actions and behaviors of people that will determine just how secure the data and records really are.