On the list of sectors most vulnerable to the attention of cybercriminals, education comes up surprisingly high. According to cybersecurity company Symantec, education is in third place, just below healthcare and business services and above insurance, hospitality, and the wholesale trade of goods.
This guest blog post by our Partner Aerohive will explore 11 ways schools can protect themselves from cyber attacks.
Schools, Colleges, and Universities need to be open to thrive. The flow of information and ideas is the lifeblood of what they do. But it is also one of the most significant reasons that they are favoured as targets by cybercriminals.
That means they face a particularly thorny challenge when it comes to finding ways of protecting themselves. Educational establishments need to create a more secure environment but they need to do so without undermining their work.
The key is to get the buy in for change from the most senior managers. What is required is culture change and that can only happen from the top. And there need to be programs in place to ensure that the culture change translates into behavioral change throughout the whole organisation.
The following tips should help:
Tailor user profiles for access to highly sensitive information to the specific needs off individuals. Not everyone has to have access to everything. And limit individuals’ ability to share information by email or other means to what is necessary for them to do their jobs.
Traditional security approaches are all about guarding the perimeter. Once the perimeter is breached, such an approach allows cybercriminals to roam freely within the system. Think more about protecting individual work processes.
Ensure antivirus software, firewalls and other security mechanisms are kept up to date, enforce frequent password changes and use multifactor authentication for the most sensitive information. Don’t take it for granted that this is being done. Police and enforce.
Provide strict guidelines on social media postings and other forms of publishing. It is this information on which the most successful phishing expeditions are based. If a phisher knows you are researching particular aspect of bioconjugation chemistry, for instance, and then sends you a spoofed email seemingly from one of your research colleague or even your financial institution, you are much more likely to open the email or text, click the links, and fill out your personal information in the form provided.
Information once leaked does not have to be easy to read. Make life tougher for cybercriminals and use the best encryption tools, even for what you may think is low-value data.
Limit the use of public-cloud-based services such as OneDrive and Dropbox and portable storage devices such as SD cards and memory sticks.
IT-department-led initiatives without sufficient input, buy in and coordination from and with other parts of the organisation run the risk of causing more disruption than benefits.
If the necessary cultural change is to take place, making sure that everyone knows about the risks and the tools available to them is paramount. Continuous and constantly updated awareness and training programs need to be put in place.
Use the latest cyber-forensic techniques to detect ongoing attacks before they get too far. Even small changes in a computer network can indicate an unwanted and potentially damaging intrusion.
In more cybercrime-prone industries such as finance, IT security audits are a regular occurrence. In universities and colleges, however, they are still the exception rather than the rule. That needs to change.
Security does not come cheap. Robust security solutions require larger investments in IT. It has to be given a higher priority in the list of items to be spent on.
These are not easy steps, nor inexpensive, but the alternative of having to deal with the aftermath of a major incursion could be far worse. Treat IT security as you would any other risk. Think about the extent of the risk and the possible impact of any damage, and apportion resources and budgets accordingly.
It is only with such conscious efforts that the number of successful cyber attacks on universities, colleges and other educational establishments will be reduced. Without these efforts, they can only get worse.