- Data-rich colleges and universities are becoming frequent cyber crime targets
- Leaders should be aware of four common threats aimed at higher education
- Creating a security-conscious campus is critical in defending systems and data
Elevating data security
Vast troves of personal, financial and medical data, as well as intellectual property, have attracted cyber criminals to colleges and universities. Disruption caused by the pandemic also makes higher-education information security more important than ever.
While data is central to every technology interaction, the good news is that data protection is as much a human issue as a technology issue. Instilling campus-wide awareness and cyber-security education is one of the most effective tools for defending against fraud attacks.
Threat types and incident-planning ideas
This form of malware tricks people into opening attachments or clicking on links in email, texts or web pop-ups. Once activated, the malware seizes control of an institution’s data and delivers a message demanding payment. In addition to data loss and reputational damage, ransomware that exposes confidential information, such as HIPAA health data, can trigger fines and penalties.
Even as ransomware attacks become more sophisticated, planning and vigilance are often the most effective protection:
- Start your multi-layered defense with off-site or cloud-storage backup.
- Update all security software, patches and operating systems on a regular basis.
- Revise third-party vendor lists and monitor network access.
- Ensure that everyone with network privileges exercises caution.
- Share insights about past and current ransomware incidents.
Business Email Compromise (BEC)
BEC exploits a person’s tendency to trust. Common scenarios include an email account posing as a vendor, contractor, payroll or human-resource department—each requesting payment or fund access. BEC even preys on students through fraudulent university emails requesting tuition or book payments.
Establishing common-sense guidelines with your payments staff creates a first line of defense. Many security-conscious organizations require employees working with transaction data to:
- Confirm any unusual requests in person or on the phone.
- Report all apparent BEC attempts to IT and relevant parties immediately.
- Delete emails from unrecognized senders, never open attachments or click on links.
- Inform banks and credit bureaus, freeze accounts, change passwords, document activity, and alert authorities when a breach occurs.
A network is only as secure as the most vulnerable connected device. Cyber criminals often target home-bound workers who may be using their personal mobile phones or tablets, home Wi-Fi routers and other insufficiently secured devices.
With frequent and clear communication about basic mobile-security hygiene, institutions can reduce the chance of a breach. The key is to establish guidelines about device usage and require remote workers who manage sensitive data to:
- Use institution-issued devices, including, routers, and VPNs.
- Restrict institution-issued devices from personal or household use.
- Work with secured home routers, password managers, and multi-factor authentication.
- Update software and operating systems and avoid public Wi-Fi use.
Internet of Things (IoT) devices
Because IoT expands the cyber landscape, higher ed institutions must identify all devices connected to the network, configure them to ensure secure connections, and push firmware (embedded software) and security updates as needed.
With careful planning and maintenance, IoT devices can be valuable additions to an institution’s infrastructure. The most important questions while evaluating devices are:
- Will your devices receive firmware and operating system updates?
- Does the manufacturer provide support, including “pushing” automatic security updates?
- How advanced is the device’s authentication?
- What level of data encryption is available?
- Can the device be remotely controlled and monitored?
Evolving efforts deliver benefits
Whether it’s a new technology investment or an updated incident-response plan, cyber security is an evolving effort. Institutions that make security part of their culture can reap technological benefits and pursue their educational missions with confidence.