Turning a Core Competency into a Campus Culture of Cybersecurity: A Guide for Higher Ed

A new guide for higher education on improving cyber defense through campus-wide training offers actionable advice for institutions’ leaders on how to translate their core competency — education — into a successful cybersecurity awareness program that reduces vulnerabilities and improves security posture.

The guide, from Ninjio Cybersecurity Awareness Training, delves into specific ways that institutions of higher education can improve their cybersecurity posture through behavior-based awareness campaigns and exercises. 

It follows the recent Sophos 2023 State of Ransomware Report’s revelations that 79% of IHEs surveyed reported they were hit by ransomware in 2022, the highest among all sectors and a 23% increase year-over-year.

“There’s a common misperception that cyberattacks are too complex and advanced for people without technical backgrounds to identify and thwart. This couldn’t be further from the truth,” says the Ninjio guide. “By empowering students, faculty, and administrators with robust cybersecurity awareness, CSAT programs protect institutions from digital intrusion across the full range of attack vectors. The best way for universities to rapidly improve their cybersecurity posture is to make cybersecurity awareness a core focus at every level of the institution. Trained students, faculty, and staff will then become an integral part of the culture of cybersecurity: capable of keeping the entire university community secure.”

Ninjio CEO Shaun McAlmont, Ed.D., told Campus Technology that the goal should be to build a “culture of cybersecurity” alongside other campus culture efforts, in which students, professors, and administrators participate in consistent and engaging cybersecurity awareness training to limit the institution’s vulnerabilities across the entire network.

“Institutions of higher education, perhaps more than other organizations, put a lot of thought into their culture. Especially in the U.S., colleges and universities trade heavily on that culture for onboarding new faculty, staff, and students and for continuing engagement with alumni,” McAlmont said. “There’s already a lot of communications infrastructure to support that level of cultural engagement, but it likely isn’t run by the IT department. 

“Security leaders who need to reach and engage with their campus communities on cybersecurity awareness should work to get stakeholder buy-in from those who administer those lines of communication. They should also get support for integrating cybersecurity awareness training into the faculty and staff onboarding and new student orientation processes.”

4 Key Components for Cybersecurity Awareness Training in Higher Ed

Ninjio’s guide emphasizes four foundational components of a successful cybersecurity awareness program in higher education:

1) Earn the attention of learners.

CSAT programs require “drama, engagement, and reward,” McAlmont said. “There’s no reason cybersecurity education has to fall into the familiar patterns and pitfalls of formal training programs: stale and monotonous content paired with zero interactivity. By providing high-quality, narrative-driven CSAT content, universities will help students, faculty, and administrators learn and retain critical cybersecurity concepts.”

2) Explain why cybersecurity is so crucial for everyone.

There are always be many competing priorities and cybersecurity is rarely at the top for most people with non-technical roles. Clearly explain the risks and highlight the benefits to everyone, regardless of their role. 

“When it comes to CSAT, this means providing information about the latest cyber threats, how they affect individuals, how much damage they can cause, and how everyone can work together to prevent them,” said the Ninjio report. “Given the importance of cybersecurity awareness in today’s workforce, universities should emphasize the ways CSAT can help students and employees build marketable skills after they leave the institution.”

3) Personalize your cybersecurity training.

It’s important that you meet your learners where they are. That means customizing training content to different learning styles and subject matter familiarity. 

“The most effective CSAT platforms are personalized, which means they account for individual skill levels, personalities, and learning styles,” the report said. “This will improve engagement by building content around the specific needs of each learner, which will improve learning outcomes and make students feel valued. Beyond the psychological value of personalization, universities will also be in a stronger position to determine how well learners are absorbing the material if they have more in-depth, individualized data.”

4) Promote accountability.

“It's a given that teaching but not testing for understanding will get you nowhere,” Ninjio said. “Regularly evaluate your program with simulated phishing, assessments, engagement tracking, and reporting. When institutions hold themselves accountable, they will ensure that their CSAT programs are creating long-term behavioral change.”

Why is Education in Cybersecurity Basics So Hard for Higher Ed?

The report notes that institutions of higher education are already skilled at education, yet IHEs seem to lag behind other sectors in educating their users on cybersecurity best practices. 

McAlmont said he believes IHEs innately face three hurdles that most organizations in other sectors don’t: complexity, culture, and priorities.

“Complexity is a big issue because campus communities include people from so many different disciplines, life stages, and job functions. Creating a training program that speaks authentically to the needs of each of these learners is difficult to do at scale,” McAlmont said. 

“Beyond that complexity, modern universities foster a culture of openness to support the exploration of free thought and inquiry,” he said. “Making people feel included and empowered to contribute is key in an educational setting, which is a little antithetical to the guarded, skeptical stance that they need to be taking online.”

Lastly, training such as CSAT programs “can get lost in the shuffle” of a long list of other priorities at a large institution, McAlmont said. 

“Campus IT security leaders can’t pull off training 25,000 users in a vacuum – they need stakeholder support for making cybersecurity awareness training part of the workplace experience and campus life,” he said. “The separation of admin and student networks adds complexity. There are about 15 million to 17 million students in U.S. higher education today who will become the business leaders of the future; however, I don’t believe institutions see preparing students with these types of tactical business and technical risk and awareness skills as part of the educational mission. 

“Getting that buy-in isn’t just about protecting the institution. Because of the proliferation of technology, ease of internet access, AI, gaming culture, etc., it has now become a necessary level of preparation for employees in the workforce. Educating on this topic aligns directly with the core mission of a university.”

McAlmont said it is possible for an IHE to implement the foundational elements of a CSAT program even without adding expensive resources, if the institution’s IT staff has expertise in the most common and recent breaches and hacking attack vectors, and if the institution has an in-house or student development team to create the learning tools.

In a perfect world, every IHE would prioritize implementing a CSAT program that incorporates the “key parts of a successful educational methodology: something that is engaging, personalized, repetitive, and incorporates different learning styles,” McAlmont said. “A training program with regular touch-points that can reach a diverse set of learners where they are is the first step.”

He added that using brief examples from real-life cyber attacks as learning moments is a great tool for training.

“Learning that is relevant to an issue or experience and that clearly points out risks and benefits to the individual is also important,” McAlmont said. “Keeping the learning focused on creating new habits and positively changing behavior versus sending more punitive messages is also important.”

Finally, every IHE should have a CSAT program in place that is delivered to every member of the campus community, he said. 

“That program shouldn’t be an annual training session, but rather structured with best educational practices in mind,” McAlmont explained. “That means campus IT security leaders should be communicating and training regularly, repetitively, and across different learning styles in order to engage learners so they can help protect networks.” 

And every CSAT program should be complemented by simulated phishing campaigns, he added.

“Beyond implementing cybersecurity awareness training that works, IT security leaders must work with other campus leaders to convince the community that the training is necessary and valuable for everyone to help boost adoption.”

Learn more about Ninjio’s services at Ninjio.com or download the full guide.

Featured