Communication key in fighting higher education ransomware, CISOs say
Communication with instructors and students is still crucial to fighting ransomware attacks against higher education institutions, though there needs to be a safety net, a group of university cybersecurity officials said during a panel discussion Thursday.
Schools are centralizing data storage, adopting multi-factor authentication and segmenting networks for students, staff and researchers to protect data in case of a breach, panelists said.
Mary Dickerson, the chief information security officer at the University of Houston, said that where her department once addressed security on a case-by-case basis, leaders have implemented more standardized data-storage practices to protect research and other critical information. While she said some employees initially balked at the new approach, they’re increasingly understanding that there are not enough resources to protect data when it’s scattered across the university.
“The reality is, it’s not [the instructor’s] data, it’s the university’s data,” she said.
The coronavirus pandemic prompted cybercriminals to be more creative in their approaches to infiltrating university systems, spoofing department chair emails and enticing students with potential financial aid, panelists said during the event, which was hosted by the email-security vendor Proofpoint.
St. Louis University CISO Rebecca Harness said whenever a press release went out about researchers conducting early coronavirus research, she would see a rise in phishing attempts aimed at those individuals. Distance learning and remote work demanded by the pandemic also prompted more students and workers to use personal devices and to be more trusting of suspicious emails because of rapid, unprecedented changes.
“They’re expecting things to be different, but they don’t know how,” Dickerson said.
Addressing these threats includes teaching instructors, students and researchers not to be fooled by more sophisticated phishing attacks, but also tips like “what boxes to tick” when using videoconferencing tools like Zoom for schoolwork and meetings, Harness said. Though students are returning to campus, these tools aren’t going away and will still be used for both virtual and in-person classrooms, she added. Panelists said publishing standard cybersecurity protocols can take some of the guesswork out of cyber hygiene, practices like teaching researchers what to do if they receive a suspicious email.
“Take heart in the fact if you’ve been following standards and best practices all along, you don’t just throw that away and start over,” Dickerson said.
Though a security approach based solely on educating students and workers on proper cybersecurity protocols is “doomed to fail,” Harness said, it’s still important to consistently run education programs. A recent report from Verizon showed 85% of breaches included a human element.
“The message we’ve been sending up to academic leadership is that ransomware is our No. 1 threat,” University of Oklahoma CISO Aaron Baillio said.
Another part of the overall communication strategy at Oklahoma is checking in internally to discuss where threats are coming from and how they are evolving, he added.
That big-picture approach to cybersecurity can get bogged down in day-to-day work, and all three panelists said automation tools would be a top purchase if their departments received more funding. Dickerson said her department already is requesting proposals for technology to help manage routine tasks. She said threats are evolving faster than human staffing can address, and technology can’t always keep up so leaders are looking for the “right mix” of automation and human touch.
“We need that automation to keep low-level tasks in place,” Baillio said.