All the cyberdefense tools in the world don't do much good when students, faculty and staff don't know how to keep information secure.
But time for training can be challenging for research and education institutions. Students carry a full load of classes. Faculty often work 60 hours a week. University staff members focus on finishing their teaching, learning and research work. That doesn't leave much time for cybersecurity awareness, said Bob Turner, chief information security officer at the University of Wisconsin-Madison.
"The simple fact is that we are an academic community, and there's an awful lot to be learning here," Turner said. "Cybersecurity unfortunately sometimes takes a backseat."
Staff members may just be doing their job, processing one email request and moving on to the next, said Matt Morton, CISO and assistant CIO at the University of Nebraska at Omaha. But what they don't know is that a wire transfer or request for payroll information they just received was not requested by the university chancellor. Someone else asked for it, and this impersonator just got away with stealing.
In fact, just over a quarter of miscellaneous errors in the ongoing cybersecurity war worldwide included sharing sensitive information with the wrong person, according to the 2016 Data Breach Investigations Report from Verizon. Phishing attacks like that spoofed chancellor's email give attackers their first win that sets off a chain of events, including an emailed link, malware installation on users' desktops and stolen credentials. Once they have credentials, they can access systems, install malware on them and export data.
While education helps tackle this challenge, information security officers also need to find tools to prevent the email from reaching university inboxes, Morton said. If they can intercept the email, that gives users fewer opportunities to be deceived.
"We've got to do a better job of making sure they just don't get phishing emails to begin with," Morton said.
International students in particular fall victim to these emails, so that's why the University of Nebraska at Omaha started working with the International Studies and Programs division on campus to educate students about cybersecurity as soon as they arrive, Morton said. That said, he sees a lot of machines on the university network that are infected by malware, and he wonders if the problem goes deeper into the university's student population than he thought.
"I am afraid that students as a whole are being affected more broadly, but we're not hearing it," Morton said.
This year, Morton's team is planning to share more information with students so they can understand the havoc phishing can reap. Until now, their education approach has been minimal, but it will be improved substantially. That said, the university does spell out a regulated data security policy to help its community protect sensitive data.
When it comes to education about cybersecurity, universities aren't slacking off. Nearly three-quarters of institutions surveyed in the EDUCAUSE Core Data Service require faculty and staff to go through information security training, while just over a quarter of them require students to do the same, according to Joanna Grama, director of the IT Governance, Risk and Compliance Program and cybersecurity programs at EDUCAUSE, a nonprofit association of IT leaders in higher ed.
While universities have to do compliance training with employees in their first weeks on the job, those employees won’t remember the cybersecurity training they receive because they’re getting so much other information during that time, said Kim Milford, executive director of the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), which promotes cybersecurity operational protection and response in higher education. That’s why it’s helpful to get information in front of them right when they need it, like when they receive access to a new application. It also helps to provide frequent training delivered in many ways.
"There's no such thing as too much education," Milford said.
|The EDUCAUSE 2016 education calendar can help universities create awareness campaigns around cybersecurity topics.|
At the University of Wisconsin-Madison, cybersecurity governance groups on campus helped the CISO's team come up with ideas for targeted levels of training in 2015, along with a five-year cybersecurity strategy. They finished a pilot this spring that teaches students how to steward their information and properly access and secure resources across campus. The next training level will help educate administrative staff members who handle large volumes of student, health-care or financial information for the university.
Above that, the IT and security professionals across campus are going through their training. Finally, they'll help faculty and researchers understand the important data they have, including student data covered under the Family Educational Rights and Privacy Act, personal health-care information for patients that’s covered under the Health Insurance Portability and Accountability Act, and sensitive research under federal grants.
Communication is also a key component of the university's overall education strategy, with the university's communication team heavily involved in creating website briefs on different topics. They'll be launching a chief information security blog, and Turner has been tweeting from his account as well.
"Really, the user is the one who has the opportunity to apply the policy or apply the tool," Turner said. "If we don’t have that user educated well enough to understand, that's a potential point of vulnerability."