Data Security | Feature
6 Ways to Boost Cybersecurity on Campus
While data breaches, phishing schemes, malware and other security challenges pummel campus IT teams, bad user behavior can make the problems much worse. Here's how one university tackles cybersecurity awareness without breaking the bank.
Lack of user awareness is a significant known contributor to cybersecurity challenges, yet most IT shops don't have the time or budget to address it, according to Bill Balint, CIO at Indiana University of Pennsylvania.
A midsize public university part of the 14-institution Pennsylvania state higher education system, IUP has just 65 IT staff members (excluding student workers) serving about 20,000 users and an extensive technology infrastructure. Like most higher ed institutions, IUP contends with ever-growing security challenges ranging from inappropriate storage of sensitive data (across the cloud, thumb drives, smartphones, e-mail attachments, tablets, etc.) to increasingly sophisticated phishing attacks.
"We were just getting pummeled with phishing schemes, malware problems and other concerns related to cybersecurity," noted Balint. "But we also knew from our interaction with our user community that their lack of awareness made the problem much worse."
In a session at Campus Technology Forum last week in Long Beach, CA, Balint offered six ways to tackle cybersecurity awareness using existing and free resources.
1) Get IT's house in order.
Start by making sure IT has its own security priorities straight, recommended Balint. To elevate cybersecurity within the IT organization, he and his team built it into job requirements across the board: "We started to take certain practices and tasks of our software engineers, customer care agents, systems administrators, and said, 'When you get your next job evaluation, a bigger percentage of your evaluation is going to be based on how you adhere to best practices in cybersecurity.'"
Balint also focused on professional development for his staff, channeling existing funds into security events such as the Educause Security Professionals Conference and SANS training. His institution joined REN-ISAC (Research and Education Networking Information Sharing and Analysis Center), a community devoted to cybersecurity operational protection and response in research and higher education. Members share information on security threats, combining the IT expertise of 415 colleges and universities around the globe. "You're paying to extend your staff by having people monitor cybersecurity risks that are out there, and then inform you so your people don't have to do it," Balint said. "It is actually cost-saving."
2) Make security policies short and sweet.
Most institutions already have a variety of policies in place that go along way toward enforcing cybersecurity, pointed out Balint. For example, if a student says something inappropriate on Twitter or in a text message, the technology medium is irrelevant — his transgression is covered by the existing code of conduct or civility policy.
"We took every policy that already existed and said, let's apply every single policy that already exists to an information technology or cybersecurity situation, and see how far down the road that will get us," explained Balint. "We're only going to write polices that all the traditional policies at our institution don't address — something that's unique to cybersecurity."
This approach helps make sure security policies are short and to-the-point. Once policies are in place, the IT staff reviews them annually to make sure nothing has become obsolete.
In addition, Balint advised, there's no need to rehash federal, state or local laws in the university's policies. "Our cybersecurity policies say if you broke the law, you automatically broke the policy. We don't go over what those laws are because they change all the time — they almost guarantee obsolescence." Users are responsible for knowing and complying with the law.
It's also important to make sure a cybersecurity policy and associated FAQs are written in a language that the whole university community can understand. "We want everyone from a tenured faculty member, to a staff member who might work as a plumber, to a freshman, to a Ph.D. student, all to get a policy that they can read quickly, that they will read, that's concise enough, that's in English so they can understand it," Balint said. He enlists help from a Faculty IT Security Action Team to make sure policies are clear and easy to read. And when a cybersecurity incident reveals that users don't understand the policy, IT makes changes to make sure a particular point is clarified.
3) Take every opportunity to broadcast the security message.
A portion of any new student and employee orientation materials is typically devoted to IT, noted Balint. His team has tweaked those messages to put more emphasis on cybersecurity, embedding cautions, instructions and encouragement into welcome packets, presentations, semester startup materials, residence hall materials, posters, the IT support center and more.
Be sure to take advantage of teachable moments, he added. Any time someone falls for a phishing scheme or is caught in unsafe computing practices, he uses that lapse as an opportunity to educate the entire university community.
4) Leverage free resources.
There's no need to reinvent the security wheel, said Balint; there are plenty of free materials available for the higher education audience. The National Cyber Security Alliance (NCSA) offers straightforward, up-to-date tip sheets, studies, infographics and other resources. Other useful sources include the Educause Cybersecurity Initiative and the PCI Security Standards Council.
Fellow universities — perhaps with bigger IT staffs — can also be an invaluable resource, Balint said. "Cornell does an outstanding job in the security area. They have tons of material — securing a computer, responding, internet safety, protecting your identity, all of these types of things. We try to drive our message to keep in touch with what they're doing and what they're changing."
5) Create an annual focus point to maintain momentum.
Too often, enthusiasm for tech initiatives fades over time and people fall back into old habits, pointed out Balint. He uses the NCSA's National Cyber Security Awareness Month (observed in October) as an annual springboard to bring attention to cybersecurity on campus. IT distributes a series of tips, surveys and contests throughout the month to help engage users and generate awareness.
Balint also advised working with academic units that have a natural interest in cybersecurity — for example, criminology, computer science, management information systems — to spread the security message. Academic-IT partnerships can enhance student learning while providing IT with inexpensive assistance, he noted.
6) Provide targeted information.
While IUP's IT Support Center Web site provides a first stop for users seeking technology information, Balint and his team also developed microsites for specific audiences such as students or system administrators. "You can't have 20,000 people and give them all the identical message, because it's either so technical that 95 percent of the people don't get it, or it's so general that the 5 percent of the people with the most access and the most critical need don't get enough detail," Balint said. "We target to make sure that we get down in the weeds when we need to, but don't get down in the weeds for people who are going to glaze over in 30 seconds."