Security awareness training is one of the most effective ways to combat cyberthreats. Following these principles can help create an effective program that lasts through times with high IT staff turnover.
In today's digital age, higher education institutions are at an increased risk of cyberthreats, data breaches, and cyberattacks. As a result, building an impactful security awareness program is essential to safeguard sensitive information, protect the reputation of the institution, and ensure the safety of students, staff, and faculty members.
One of the challenges facing higher education is turnover among IT staff. This trend is particularly prevalent among midlevel IT staff who are responsible for managing the day-to-day operations of the technology infrastructure at their institutions. In addition, the rapid pace of technological change and innovation creates a constant demand for new skills, making it difficult for colleges and universities to keep their IT staff up-to-date and engaged.
This issue is one reason why developing and maintaining a security awareness program proves challenging. However, building a program on a foundation of proven principles can help establish it in a way that stays effective even when there is high turnover among staff members.
My organization just completed two penetration test engagements for major universities. Some of the insights gained from those engagements are detailed below. Here are seven ways to build an impactful and lasting security awareness program for higher education:
1. Develop a comprehensive security policy.
The first step in building a successful security awareness program is to develop a comprehensive security policy that outlines the rules and guidelines for protecting sensitive data and information. This policy should cover all aspects of cybersecurity, including data privacy, password management, network security, and incident response. It should also be regularly reviewed and updated to reflect any changes in the security landscape.
2. Conduct regular, role-based security awareness training.
Regular security awareness training is essential to ensure that everyone in the campus community understands the importance of security and how to protect sensitive information. This training should cover many topics, including phishing, malware, password security, social engineering, and incident response—but the training should not be the same for everyone. It should be tailored to the specific needs of each department and staff members such as IT personnel, administrators, and faculty members. Many organizations find that using a security awareness training partner is more feasible than doing it all internally.
3. Develop a separate security awareness program for students.
Students also need security awareness training, which should be a condition of their enrollment. College and university students often handle sensitive information and are likely to encounter cyberthreats. They also need different levels of access and permissions than faculty, and they have very different IT and computing needs.
Colleges and universities should provide training sessions on best practices for securing personal information, such as using strong passwords and avoiding phishing scams. It is also important to educate students about the risks of sharing personal information on social media and the importance of securing their devices with antivirus software and updating that software regularly. Additionally, colleges and universities should provide resources for reporting suspicious activity and encourage students to practice safe online behavior on and off campus. By developing a culture of security awareness, students at colleges and universities can protect themselves and their personal information from potential threats.
4. Encourage faculty, staff, and students to report security incidents.
Encouraging all campus community members to report security incidents is essential to ensure that any breaches or incidents are dealt with quickly and effectively. All faculty, staff, and students should be encouraged to report suspicious activity or incidents immediately. Ensure that clear procedures are in place for reporting and responding to incidents—and that everyone knows where to find them.
5. Conduct regular security assessments.
Regular security assessments are crucial for identifying potential vulnerabilities and weaknesses in the security infrastructure at higher education institutions. These assessments should be conducted by experienced security professionals and cover all aspects of security, including network, application, and physical security. There may be old or legacy systems specific to a given college or university, making these systems vulnerable in ways that others are not. This may lead to specific enhanced security measures when one of these systems is being used by staff or students. Regular assessments are necessary for capturing these foibles, which could interfere with the effectiveness of any awareness training or policy creation.
6. Ensure continuous improvement.
Ensuring continuous improvement of the security awareness program is essential. This can be achieved by regularly reviewing and updating the security policy, conducting ongoing security training, and monitoring the effectiveness of the program. Creating a culture of open and honest feedback from faculty, staff, and students can help identify areas for improvement.
7. Get buy-in from the administration.
Make sure there is buy-in and participation from the administration. Without administration participation, fighting for adequate resources will likely be more difficult. Without their participation, the institutional risk profile and the picture will be incomplete, as administrators have visibility into the organization that most others do not. Having the administration champion the security awareness initiative makes it more likely to result in a measurable cultural change.
Creating a Culture of Security
Building an impactful security awareness program for higher education is essential to protect sensitive information, safeguard the reputation of the institution, and ensure the safety of faculty, staff, and students. By developing a comprehensive security policy, conducting regular security training, creating separate training for students, conducting regular security assessments, and ensuring continuous improvement, higher education institutions can create a strong culture of security awareness and reduce the risk of cyberthreats and attacks.
Balancing security requirements with the need for college and university computing resources to be accessible, easy to use, and primed for collaboration is a unique challenge. Implementing these seven items is an effective way to create the proper foundation to enable colleges and universities to meet all of these requirements in a safe, secure, and lasting way.
Keatron Evans is Principal Cybersecurity Advisor at Infosec, a part of Cengage Group.
© 2023 Infosec.