Universities are large and lucrative targets for cybercriminals that want to get at their information. While implementing strategic measures to protect institutions from cyberattacks such as reviewing vendor relationships and considering hiring a chief information security officer, universities can also take quick steps to keep information safe through establishing new online policies designed to protect students, staff, administrators and faculty from phishing attacks and identity theft.
The weakest links in an institution’s cybersecurity strategy is its users. In its Grand Theft Data report, McAfee revealed that people inside organizations cause 43 percent of data loss, and about half of those issues were accidental. A large portion of cyber attacks at higher education institutions are caused by social engineering, which is when a criminal manipulates an individual to give up private information or access to accounts. Social engineering attacks are easier than hacking into systems, because there’s no hacking involved. Colleges and universities should ensure that their policies are designed to protect users with ample authentication, keep users cyber-safe even when not on campus and establish best practices for Internet usage.
Here are some cyber safety policies institutions should either implement now, or revisit to ensure that they’re sufficiently protected from growing threats and increasingly sophisticated attacks.
1. Demand strong passwords. It sounds simple, yet many users can’t be bothered with complex passwords unless they’re made mandatory. In addition, install a program to ensure users change passwords every few months, and discourage users from setting up an online file to store all their passwords. It’s convenient, but risky.
2. Insist on two-factor authentication for sensitive data. Multi-factor authentication allows users to access an application or Website only after confirming their identity in two ways, typically providing a password along with providing a verification code sent to a user’s phone, a passcode or even a biometric factor like a fingerprint. Two-factor authentication (2FA), provides a higher level of security than a simple password.
3. Safekeep information via encryption. Some information held by universities is especially sensitive and access to this data is typically limited to a small group of users. Encryption, which is the process of scrambling readable text so it can’t be read by anyone other than an authorized user, plays an essential role in safeguarding information that must be kept private. In order to decipher the text, a user must enter a secret key that can transform data into a readable format. Introduce data encryption guidelines as the University of Texas at Austin’s Information Security Office has done.
4. Limit information. Segment and restrict information to those who absolutely need access to the data to do their job.
5. Provide training. Periodic instruction on online security best practices can help faculty, staff and administrators not only become more mindful of the need to protect data, but help users approach suspicious emails more thoughtfully. Alert users to new threats or approaches as they come up. Security awareness training should be required for employees across the institution, and may be done either internally or through an outside provider as does the University of Richmond.
6. Protect users, even when they’re off campus. While they’re on university grounds, users typically benefit from firewalls and extensive network security protection. But once they’re using their laptop at the local Panera Bread shop, and going online via an unsecured wireless network, for instance, staff, students and faculty run the risk of their data falling into the wrong hands. Consider implementing a virtual private network or VPN, which protects users online even when they’re away from school, as the State University of New York at Potsdam does for administrative staff.
7. Always have a back-up plan. Recommend that users back up data regularly and keep the backup system safe as well. Provide users with detailed instructions on how to perform a backup and where to store files, like Amherst College provides for its online users.
Click here for Part 1: 4 Reasons Cyber Criminals Are Targeting Higher Education