Professors are on the front lines of detecting cybersecurity risks. It’s a common misconception that cybersecurity responsibility lies at the foot of the technology department’s door, but hackers are targeting everyone’s accounts—students, professors, faculty and administrators. It doesn’t matter how low on the access privilege ladder they are in.
Education is particularly susceptible to cyber security events when compared to other industries. According to a 2021 EDUCAUSE report, the education sector experienced six times more malware attacks than any other industry. The issue is likely to worsen due to the fact that higher education institutions are making efforts to enhance their cyber security while cybercriminals are operating at a much faster pace. Cybercriminals do not follow any academic schedule and are constantly searching for chances to cause disruption. In fact, they like to use institutions’’ academic schedules against them, for example by deploying malware right when most students are coming back to school from winter or summer break.
Research universities, in particular, are known to house highly valuable data, such as research intelligence, patient medical records, and student information. Unfortunately, due to lack of funding, these items are not often updated with the latest security measures. Compared to a centralized public company, higher education institutions have a much more open and decentralized IT environment. This creates numerous entry points for potential cyber-attacks and other malicious actions.
So what can higher education leaders and professors do to combat their cybersecurity vulnerabilities?
Main cybersecurity risks
Staying up-to-date on the best practices for protecting yourself and your students from cybersecurity threats is essential. According to a report from Deloitte looking into cybersecurity and privacy impacts on higher education, the top five cybersecurity threats faced by teachers are phishing, Distributed Denial-of-Service (DDoS) attacks, data breaches, ransomware, and Internet of Things (IoT) vulnerabilitiesPhishing attacks leverage social engineering to exploit human emotion for the purpose of obtaining sensitive information.
- DDoS attacks occur when multiple systems flood the bandwidth or resources of the local servers and can cost up to $40,000 per hour.
- Data breaches involve unauthorized access to private or sensitive information, such as student data, which was one of the most common cyber incidents in 2019.
- Ransomware threats involve hackers holding data hostage in exchange for money or other demands, with potential costs in the United States reaching $7.5 billion in 2019.
- Finally, IoT devices, such as laptops, smart home accessories, and tablets, may lack security or be outdated, making it important for teachers to prioritize security when incorporating them into the classroom.
The Senior Leader Responsibility
The time when senior leadership can separate themselves from cybersecurity has long since passed. Even CISA’s recent report on safeguarding organizations from cybersecurity threats, points out the need for more engagement from district leadership:
“These recommendations are presented with a caveat: change must come from the top down. Leaders must establish and reinforce a cyber secure culture. Information technology and cybersecurity personnel cannot bear the burden alone,” it states.
While the report is focused on K-12, leadership in higher education institutions should be taking note—senior leadership must be proactive advocates for cybersecurity initiatives in their district, including the implementation of common sense and free or low-cost safeguards, such as multi-factor authentication (MFA). They should also advocate for cybersecurity awareness and training initiatives across the district and at all levels. Establishing a Cybersecurity Awareness Month (October) program is a great way to keep higher education communities safer and to teach students the critical skills they need to become better, safer, and happier digital users.
The Mitigation Strategies
Begin by collaborating closely with the technology and business teams, as they are most likely to understand the importance of reducing cyber security risks. The business office (finance, HR, etc.) contains some of the most sensitive data, making it a prime target for cybercriminals Enforcing access control limits an individual’s access only to programs they need, preventing them from viewing unauthorized information and limiting attackers’ activities if they compromise someone’s account.
Most organizations have already invested in firewalls, intrusion detection, and virus and malware protection systems to protect their data on the network. Less are aware that they need cloud security to monitor for abnormal access behavior, suspicious account activity, and inappropriate information sharing practices in cloud applications like Google Workspace and Microsoft 365. Furthermore, always ensure that your browsers, applications, and operating systems are running the latest version, as each update fixes the vulnerabilities of the previous versions and protects against new threats.
Backing up your data is also important as it helps you retrieve original data even if your system becomes a victim of ransomware attacks. Finally, an incident response plan must be in place to help IT teams and cyber security professionals identify what needs to be done and who needs to be notified to expedite recovery. By taking these steps, educational institutions can prevent cyber-attacks and protect their sensitive data.