We at Collegis Education have been reflecting on ways the pandemic changed the educational climate and how we can best continue to support our college and university partners, as well as their communities. While many higher education employees are back on campus, there may come a time when working remotely becomes a necessity again, either part-time or full-time.
With these changes in the workforce, one might assume that the cybersecurity landscape has changed drastically as well. With employees working remotely, they’re logging in from their personal networks, conducting training via video call and attending meetings in virtual conference rooms wearing button-down shirts or blouses paired with pajama pants.
The boundaries between home and the office are blurring, and this may very well become the new normal. Even still, the cybersecurity threat landscape remains remarkably similar to what we faced from the workplace. It’s important to remain just as vigilant in protecting your institution against these risks.
3 key cybersecurity threats facing a remote higher ed workforce
Remote working has introduced a host of new challenges. Learn more about three significant information security risks colleges and universities should keep top of mind in order to enable a secure and effective remote workforce.
1. User compromise
Despite our best efforts, compromised users still represent the most significant risk to college and university networks. Phishing remains a persistent threat in the college community, and it represents a risk that exists no matter where employees reside. In fact, one study revealed nearly 90 percent of top U.S. higher education institutions fail to protect students and faculty from phishing attacks.
Information security experts warn about an increase in such incidents due to the pandemic, considering more students and staff are using personal devices and logging in remotely. This makes it even more critical for universities to establish or continue robust cybersecurity training, monitoring and simulated phishing campaigns.
Ensure that your university IT team has deployed reporting mechanisms that make it easy for users working from home to report suspicious emails, as well as phone calls or SMS messages. Finally, remind employees, including administrative staff and faculty members, to protect student and employee data just as strongly as they would in the office environment.
2. Ransomware
Ransomware continues to affect colleges and universities, with several incidents making news after business interruptions impacted students and their ability to access educational resources. According to Inside Higher Ed and other sources, these attacks, in which perpetrators block access to data through encryption or other means until a ransom is paid, are increasing and evolving.
In some cases, perpetrators threaten to release stolen data publicly on the dark web if ransoms are not paid. Resilience against ransomware is realized through steady, segregated backups, encryption and training for users to recognize phishing email, which is a major vector for ransomware attackers.
One often overlooked opportunity is information sharing among peers. The Research and Education Network Information Sharing and Analysis Center (REN-ISAC) provides an excellent, vetted and peer-reviewed network where colleges and universities can share information and warn other institutions about threats in the education sector. Colleges and universities can band together to counter this significant risk and reduce the likelihood of business interruption.
3. Poor data hygiene and data management
With so many employees working from remote locations, one risk to institutions remains top of mind – poor data hygiene. While proper data management has always been of key importance to protecting against data breaches, the remote workforce represents a risk as employees and students send unencrypted documents containing personal information back and forth via unencrypted emails or in messaging applications.
IT leaders should “double down” on training to cover the key aspects of FERPA, GLBA, HIPAA and other applicable compliance requirements as well as best practices and tools available to protect student and employee data. In addition, implementation of more advanced data loss prevention tools, especially in “active” mode, will block emails and data exports that may be moving sensitive information inappropriately.
Finally, all portable devices should be equipped with encryption to protect the data on the devices. These relatively inexpensive tools will make it harder for data to be lost through inappropriate data management practices and will help protect against breaches of student and employee data.
Don’t lose sight of cybersecurity
While the pandemic created unprecedented change in higher education, some things have remained relatively unchanged. The cyber threats of the past few years are continuing to affect colleges and universities even in the remote workforce, and the simple rules and tools for building institutional resilience against these risks remain readily available.
The world of higher education cybersecurity has faced its share of new challenges and pressures in the past year, but you can’t ignore the persistent threats building over the past decade. If your internal IT team is feeling the strain, our team of information security experts at Collegis Education can help!
Author: Jason Nairn
Dr. Jason Nairn serves as Collegis Education’s vice president of Information Technology and Security providing IT leadership for several college and university. Prior to joining Collegis, Nairn was vice president of Information Technology and chief information officer for Concordia University in Portland, OR.