Solving cybersecurity’s “people problem”

Reducing information security risk

Of the estimated 1,300 data breaches that have occurred in the education sector since 2005, The Chronicle of Higher Education reports that 75% occurred in colleges and universities. As technology becomes increasingly foundational to both in-person and online learning, institutions will need to invest in regular upgrades to their technology to keep pace with the external cyberattacks that account for approximately 43% of reported data breaches. But because an additional 27% can be chalked up to internal leaks, it is also crucial to prioritize ongoing, campus-wide education in any information security strategy.

Cracks in your human firewall are as dangerous as those in your digital firewall. Some users are completely unaware of how valuable even partial information may be to potential hackers or that the institution’s most important property is intellectual, not physical. Others may complete one-and-done IT security training, but not bother to create strong passwords or encrypt sensitive files.

While it’s easier to raise awareness than to truly change user behavior, education is still one of the most important tools for safeguarding data. To mitigate cybersecurity’s “people problem” and ensure users are an asset rather than a threat, your information security training program must be both comprehensive and ongoing.

Defining the risks

When imagining human-related data breaches, it’s easy to focus on the hackers that loom large in the popular imagination, nefariously rubbing their hands together before rapid-fire typing their way through all your defenses. The fact of the matter is that cyber attackers don’t need to work nearly as hard in real life as they do in movies. They just need to gain access to a single user account, which is why all internal leaks must be sealed.

According to IBM’s Cost of a Data Breach Report 2021, compromised credentials are the most common entryway for attacks, accounting for 20% of reported incidents across industries. Because access and identity management are inherently prone to human error, technology alone will never solve all our security problems.

Insiders know the most about the inner workings of their institution, and most have access to at least one or more systems with personal data. If you have a lot of data under the control of just a few insiders, you’re at even greater risk—particularly if you lack checks and balances or a clear separation of duties.

Complicating things further, many data breaches caused by insiders are unintentional. An employee or student may attach the wrong file to an email, lose a laptop or USB drive, do secure work on a public Wi-Fi network, use an infected mobile device on the corporate network, or unknowingly provide compromising details on social media, all without thinking twice about the threats inherent to these activities.

One of the most common risk factors, however, is the threat of phishing attacks. Phishing is the process by which a hacker delivers malware or simply tricks the victim into giving up personal information directly. Disguised as a trustworthy party, the hacker contacts victims through email, instant message, social media, or a malicious website designed to look legitimate and gets them to either click on a link (which installs malware onto the computer or network) or give up sensitive information (such as usernames, passwords, and credit card details).

Despite the growing awareness of these kinds of scams, millions of people still fall for them every year. As hackers get more sophisticated about disguising communications, one of the main tools institutions can use to combat the threat is education.

8 strategies for an effective cybersecurity training program

1.    Make annual security training mandatory for all employees

All employees, not just IT staff, should be aware of cyber threats and be equipped to respond appropriately. They should also understand institutional policies regarding the proper use of data and technology, as well as the consequences of non-compliance.

In addition to training new hires as they join the organization, make annual information security education mandatory for all employees. Because threats and best practices evolve quickly, your training materials should too, so don’t use the same content year after year.

Many institutions have a formal acknowledgment process that requires employees to demonstrate that they’ve completed the training and understand the material.

2.    Provide ongoing education

Once-a-year training is not enough. Changing awareness and behavior doesn’t happen overnight, and even after a change occurs, it can only be maintained through continual reinforcement. Provide regular communications about information security using multiple channels, including:

  • Emails: Send awareness-building emails on specific threats and best practices as that information becomes available.
  • Videos: Conduct short video interviews with your information security leaders and tape any live events or panel discussions for employees to refer to.
  • Posters/signage: Get creative and share infosec tips and graphics on posters and signage around the office, and/or through graphics distributed online.
  • Newsletters: Include timely articles and resource links in employee newsletters or other internal communications.
  • Webcasts: Provide live online training on specific topics when appropriate.
  • Events: Hold infosec awareness events or town halls with guest speakers and interactive elements to encourage participation.

If you have the resources, consider a training partner. There are many vendors that provide content for all these channels, which can be used as-is or adapted to meet your needs.

3.    Partner with your communications team

Your communications team can greatly enhance the effectiveness of training materials and awareness-building campaigns. When it comes to crafting the right messages for the right audiences, developing compelling copy and graphics, and pushing content out through multiple channels, they have the experience and resources required to make an impact.

4.    Don’t just inform, demonstrate

General education about data threats is important, but it’s just the beginning. To encourage information retention, put it in the context of people’s everyday lives. For example, don’t simply send an email defining “phishing.” Send an actual mock phishing email to test whether employees risk data breaches by clicking any links or opening attachments. This can reveal gaps in infosec awareness, informing the types of training needed to ensure employees won’t get tricked by a real attack.

Incorporate practical exercises and real-life examples into your mandatory annual training to effectively illustrate concepts and make messaging stick.

5.    Develop a “security champions” program

Enlist passionate people across all areas of the institution (not just IT) to champion security, model best practices, support infosec events and campaigns, and raise awareness. Provide your champions with regular training and keep them engaged by offering prize incentives, while demonstrating how their efforts are making an impact.

6.    Take advantage of National Cyber Security Awareness Month

October is National Cyber Security Awareness Month. Take advantage of the momentum it generates to enhance your own cybersecurity campaign.

Get creative with messaging this month by pairing cybersecurity messaging with engaging contests and prize incentives. Share links to national campaign coverage, events, and other activities on your social media feed or in your newsletter. By making National Cyber Security Awareness Month special, you can help instill best practices year-round.

7.    Bring in guest speakers

While interviews with your own institutional leaders can work well, sometimes bringing in an outside expert on cybersecurity can increase engagement. Look for speakers from well-known organizations with unique stories that will pique employees’ interest. Host speakers live in a town hall environment and/or make a video available for ongoing education.

8.    Partner with HR

Creating a culture of commitment to security requires strong support from every department—especially HR.

The responsibility for protecting information should be incorporated into position descriptions, employee onboarding, and regular training schedules. It should be part of institutional values, policies, and best practices.

As the liaison between leadership and employees, HR can also help foster a culture where it’s okay to ask questions. If employees sense that hitting deadlines—with, for example, wire transfers or reports—is more important than exercising caution, they may choose to ignore security warning signs, potentially costing the institution far more than a few lost hours of work.

Next steps

Nearly all the top security threats facing higher education have a human dimension, which is why institutions that focus as much on people as technology will win the cybersecurity game. When it comes to staying vigilant against breaches, the more users know, the safer they’ll be. For higher education, extending a culture of constant learning to information security will empower institutions to thrive in the midst of an evolving—and also, exciting—age of information.

Learn more about information security in higher education.

Meet the authors
Ellucian
Ellucian
Products & Services Used

Need support? We're always here to help!

 

Your one-stop shop for product documentation, assistance, training, and much more.