Breaches of personal information are increasingly a part of the national conversation, with recent instances like Equifax causing anxiety among customers who are concerned that their personal information may not necessarily be secure. And higher education is the industry most susceptible to attacks from third-party phishing or hacking, according to a 2016 University Business report stating that higher education institutions had suffered from 539 breaches affecting at least 13 million records since 2005.
Students are arriving on campus with more personal devices than ever before, according to Mike Mathews, the CIO for Oral Roberts University. This has undoubtedly necessitated increased awareness of personal security measures, he said, but it also potentially raised the danger of cybersecurity attacks.
“The number of devices students are bringing on campus is three or four ... and each one of those open up an avenue into our network if we're not careful," Mathews said.
CIOs must protect systems while allaying anxieties
Mathews stressed the importance of educating students and parents and allaying the fears and concerns about data breaches they likely have thanks to the ominous headlines concerning recent hacks. Student records are protected by robust federal regulations, Mathews said, and a hacker could not access such personal information simply by corrupting the university’s system. Most hacks of student information, he said, come when higher ed institutions removed that information from the usual mandated protections.
“We take a step back and let everyone know that the student system of record is one of the top security systems in the world," Mathews said, noting the school had never had a security violation. “Knowing that really alleviates a lot.”
Other administrators on campus are becoming increasingly aware of how damaging a data breach could be to an institution’s reputation, and they are supporting CIOs and IT departments in their attempts to educate students, faculty and staff. Ed Jalinske, the director of Cybersecurity Education and Awareness for the University of Wisconsin-Madison, said the school’s CIO and Chief Information Security Officer had granted him wide leeway on such initiatives. Jalinske said the school had sponsored student-focused events, brown bag sessions and webinars on information about how students and staff can remain secure online.
“People from all levels on campus, from the first-year students to university executives, don’t fully understand how to spot a phishing e-mail, for example,” he said, noting that the increased ubiquity of “vishing” (or voice mail phishing) or “smishing” (phishing via text message) made it more difficult to discern reality from forgery. “These attackers have become more sophisticated, trying to increase complexity of what you’re expecting, so you have to stay current in social engineering trends.”
In July, UW-Madison instituted a third-party “vulnerability scan,” to help the school pinpoint potential weaknesses in its devices, according to a recent letter from Michael Lehman, the school’s interim CIO. This third-party scan would “involve the deployment of a ‘disappearing agent’ to a large number of endpoints on campus,” according to Lehman, with the information offering the ability to analyze where potential holes in security systems may be.” The scan did raise concerns among ‘academic freedom’ from some faculty members, which Jalinskie said was an issue he habitually hears about from professors who are wary of engaging in security reviews or measures.
“The question we contend with is how we secure academics on campus while offering academics the freedom they’ve always had,” he said. “The concern initially was, ‘are you going to be monitoring activity taking place on my computer and would Ii necessarily have to reveal some of the particulars of research I’m conducting,’ which may be controlled unclassified information?”
Jalinske said the Department of Information Technology at the school assures researchers of the utmost confidentiality, integrity and security. Mathews noted that when it comes to faculty and staff, it is important to maintain a relationship of trust, and not to make them feel as if they were being “tricked” by cybersecurity tests and measures. The school conducts a test by sending out a controlled spam e-mail every six months, he said, but he is particularly optimistic about the increasing number of faculty members utilizing Oral Roberts’ IT department as a resource for learning more about cybersecurity measures.
"You can do more harm than good by the wrong approach and the wrong environment," Mathews said. “Everyone’s important to everyone else. Cybersecurity is as real as real can be, but our job is to prevent it, not scare everybody with it.”
Student engagement critical but difficult
Jalinske emphasized the importance of not to creating educational initiatives that use fear, uncertainty or doubt in order to get across necessary information, but he said the challenge of educating students in cybersecurity measures is getting them to attend campus events. The department responded by setting up informational tables or discussions where there are significant amounts of student foot traffic, including dormitories and dining halls. He said students want to be engaged in a campus’ cyber defense efforts, and word-of-mouth could be very beneficial in attempts to improve students’ knowledge regarding cybersecurity measures.
“We can distribute information through campus, but people are not going to come unless a peer mentions that they’re going to check out the event,” he said.
Mathews said leaders should endeavor to make sure their WiFi systems are 100% reliable, as it will make it easier to protect the campus system from potential breaches. Private mobile service providers also have strong reputations for protecting data and defending users from hacks, which alleviates the pressure to ensure the reliability and security of every device brought to campus by students or staff.
“Students today are occupied on their smartphones, and the security from those private providers really helps the campus," he said.