In 2023, they were targeted by ransomware attackers more than any other commercial or institutional environment in the United States, according to John Fraser, the vice president of sales at cybersecurity company Trinity Cyber. The threats against them are ever evolving, especially with AI’s ability to create new accounts and IP addresses to provide new sources of attack in a matter of minutes.
Fraser and Curtis White, chief information officer and vice president of IT services at St. Mary’s University in San Antonio, teamed up at the 2024 EDUCAUSE Annual Conference to explore how to transition from panic to prevention mode.
The first step, they said Tuesday, is understanding how higher ed threats differ from commercial ones. The former’s very nature contributes to unique vulnerabilities that attackers understand and exploit.
One example is seasonality. In the commercial sector, the number of threats stays pretty stable month to month — but in higher education, it peaks when students receive more communications from their institutions, namely in April, May and August.
Higher ed institutions also have a very distributed community. Students, faculty and staff learn and work at different sites in different locations, and some are entirely remote — but they all need access to key online systems.
Across their sites, universities have a robust “bring your own device” environment, White said, with students bringing an average of five devices with them. Phones, laptops, tablets, smart watches and streaming devices all exist on campus networks, but also spend lots of time off these networks.
“We want their environment on campus to be like at home, with the amenities that they have at home,” White said. “But many computer users, they’re not used to an enterprise network. They’re not used to doing hygiene on their system, updating patches, making sure their OS is up to date, unless they get that nagging message that they’ve said no to half a dozen times.”
On the staff side of things, cybersecurity jobs are in high demand across the board, and the education sector struggles to compete with private companies on wages and benefits.
So how can colleges and universities efficiently prevent cybersecurity threats with minimal staff and systems that offer such a variety of ways to interact? Fraser and White outlined three points: education, systems and enforcement.
At St. Mary’s University, officials target education to when students are most vulnerable and meet them where they are. Incoming freshmen attend a session on cyber safety, including a breakdown of what emails from the university look like, so it is easier for them to tell when phishers try to impersonate official communications. They set up tables in high-traffic areas like dining halls and offer incentives for engaging with the educational content and exercises being offered. And when students return to on-campus housing after winter break, they’re met with an info sheet on cybersecurity taped to their door.
“I noticed that after that presentation with the freshman students, phishing drops considerably,” Isa Lopez, the interim chief information security officer at St. Mary's University, said.
Similarly, new employees are trained to be compliant with cybersecurity practices at their institution.
It’s important to raise awareness on cyber safety, the presenters said, but there must be established safety measures in place for which the campus community does not need to opt in. If a user is proven to be a repeated risk or does not engage in routine maintenance, that puts the whole system at risk. Systems need to account for these user-created deficiencies and respond accordingly.
“I say, ‘Hey, if they’re not fixed by Nov. 1, you’re only going to get traffic on our network. You’re not going to get out on the Internet,” White said. “If it’s not fixed by Dec. 1, you’re not even going to be on the network.”
These underlying systems play a key role in overall safety; they inspect all activity taking place on campus networks and can prevent, for example, a student from ever seeing a phishing email in the first place.
Google, Microsoft and the Cybersecurity and Infrastructure Security Agency are among the resources where institution officials can learn about bolstering their cybersecurity systems, White said, but he also noted professionals should work together to find solutions to evolving problems.
“We look at each other, on some levels, as competitors,” he said. “We don’t need to be competitors in cybersecurity. No one is coming to our campus because Campus A does cybersecurity better than Campus B. This is an area we need to be collaborating on, because we all have a vested interest in improving our stance in cybersecurity.”
