How Schools Can Protect Themselves From the Most Dangerous Cybersecurity Threats
Low-cost, high-impact safety measures
As methods for accessing and stealing data grow slicker and harder-to-spot, not a day goes by without a news report about a data security issue. Higher ed leaders, in particular, should be concerned about these threats as colleges and universities are top targets for hackers and scammers.
Bad actors often slither into email systems, snatching everything from paychecks to email addresses that are then sold on the black market. They even reroute payments intended for vendors. Sometimes the criminals hack their way into computer systems and networks, but often they're able to slip in through human error.
Speaking with EdSurge, Josh Sosnin, Chief Information Security Officer for higher education technology provider Ellucian, shares his on-the-ground perspective about the top cybersecurity threats facing schools today. He suggests low-cost, high-impact safety measures schools can adopt, and explains how working with cloud providers can ease the security burden on IT teams.
EdSurge:Which cybersecurity threats should most concern schools?
Josh Sosnin:Something higher ed is facing right now is what's called “business email compromise” or BEC. It's phishing, but highly sophisticated. One of the significant areas they target is accounts payable fraud. Bad actors go after a school's vendors—that could be vendors for anything from sporting equipment to furniture.
Scammers hack a vendor's email, watch to see who they communicate with and then try to trick you into making an invoice payment to them—the bad actor—instead of to the vendor's accounts payable. It could be as simple as, "Hey, I got a new email address. Can you switch to this?" Or, "We've got a new phone number. If you're going to call me, use this phone number." Then, they wait, gain some trust, and at the right point in time, jump in and try and get the funds to go somewhere else.
Another scam we've seen recently are fake submissions for enrollment. Some institutions assign students an .edu email address shortly after they apply. That account is valuable because many companies will give you discounts on all sorts of things with an .edu email address. It's worth at least $5 on the black market. And there are places on this planet where $5 is a lot of money.
Bad actors will also use an .edu account to launch a phishing campaign into the higher ed institution; you're more likely to believe an email coming from inside than something coming from outside the institution.
What can IT departments do to promote cybersecurity right now?
There have been significant advancements in security software and artificial intelligence, but there will never be a perfect system to protect you. In the end, it's a human on the other end trying to trick you into doing something. So we need a human-firewall—meaning, awareness training is the key. Coaching people to take a second and ask, "Does this look right?" is very important.
In my experience, that training is most effective when it’s done in small and digestible doses, such as quick tips in newsletters. I've also seen universities create what they call a "phish bowl;" they use intranets, emails, or chat systems to share examples of real-world phishing scams in order to raise awareness.
But you also need to make that training personal—not just about protecting your institution—in order to make it stick. For example, highlight how the same procedure that protects your IT system at work can also protect a personal bank account and identity.
Some institutions also test employees with fake phishing scams. I think that's valuable, but it's crucial to do that constructively. You're not trying to make anybody look bad.
Along with training, what can schools do to ensure their data is secure?
Another step is to deploy software patches—which fix vulnerabilities in a computer program—quickly for your SIS, email system, accounting, etc. The time it takes from patch release to when you deploy is key, especially if you're an on-premise customer—meaning you run software on your own. But that can be difficult in large organizations. When do you schedule that downtime? If you've got registration coming up, you have to weigh options—you probably don't want to take a system down then to patch. If you're in the cloud, your cloud vendor will take care of patches for you.
Then—if you have a good patching process and you're doing security awareness—multi-factor authentication (MFA) is the next place to go.
Multi-factor authentication is literally using multiple ways to prove this is your account. Right now, when you authenticate, it might be with a username and a password—the password is one factor. But we want multiple and different types of factors to add more layers of protection. These factors could be something you know (your password), something you have (an authenticator application on your cell phone) or biometric information (your fingerprint). Then if someone steals your password, he can't do anything bad with it because he only has one factor. It solves a lot of these problems and puts you in the position where a stolen password isn't a crisis anymore.
How can moving systems to the cloud help schools with cybersecurity
Focusing on cybersecurity is smart planning. And moving to the cloud to improve cybersecurity can take some of the load off schools.
The cloud lets your staff focus on tasks that are key to running your business. For example, your cloud provider is now responsible for disaster recovery, freeing up resources and staff to work on more interesting and meaningful projects.
After moving to the cloud, one school I worked with developed a system that helps it identify if a student is likely to make it past their first or second semester so advisors could proactively intervene before students drop out. Cloud support frees up IT departments to do things like this, which increase the odds of students being successful. I love that idea.
I focus on security in my work so schools can focus on what they do best, helping students get to where they want to go.
Do you have any tips for finding a cloud provider that takes cybersecurity seriously?
- Use Educause's Higher Education Cloud Vendor Assessment Tool(HECVAT).
- Ask vendors directly about their security policies. If they ignore you, don't respond or delay, they might not be taking it seriously.
- Do a background check. Google "company name + disclosure policy".
- Search for somebody at the organization who's responsible for security. If you can't find them after five minutes of googling, you should be concerned.
- Ask vendors for a copy of their information security policy.
- Read third-party reviews around security testing, audits, penetration testing
First published by Wendy McMahon in EdSurge.