Opinion: Cybersecurity Month Should Be Year-Round

Cybersecurity Awareness Month was created back in 2004 by the U.S. Department of Homeland Security and the National Cybersecurity Alliance (NCSA). The president of the United States and Congress annually announce this month to draw attention to cybersecurity, and this year’s theme is “It’s easy to stay safe online,” intended to make the messaging more positive and easier to understand. The challenge for higher education is to sustain this message, stretching it over the other 11 months of the year. Quite simply, cybersecurity is not a “one and done” proposition. Campuses must recognize the risks, understand the costs, gather the necessary resources, and develop creative, sustainable communication plans.

WHY IS HIGHER EDUCATION MORE VULNERABLE TO ATTACKS?

There are a variety of reasons that universities are becoming more vulnerable to cyber attacks. First, the academic environment has long promoted the idea of freedom of expression, experience and access. In this environment, strict cybersecurity protocols may not have been properly implemented. Particularly in academic research, some faculty may be resistant to cyber protections, worried that it could affect their unfettered access to the Internet and data. As a column in The Chronicle of Higher Education pointed out in June, “Colleges can be especially susceptible to cyber attacks. Universities are built on principles of open inquiry and the free exchange of information that don’t always coincide with information-security best practices.”

Cyber criminals are aware of these potential security gaps and will aggressively exploit them, especially if cyber protection is lacking or has not been a campus priority. Colleges and universities have long had access to the Internet, and the campus culture itself may have resisted strong cyber controls. With the migration to digital platforms and the explosion of IoT devices, the challenges of securing a network are greater than they used to be, particularly if IT services and processes are decentralized.

WHAT ARE THE COSTS?

The costs for a cybersecurity breach can be significant, including not only financial loss but reputational injury to the institution, operational disruption, research loss, and civil and criminal legal dangers.

The financial costs of a cyber attack are staggering. In 2022, the FBI Internet Crime Report counted $10.2 billion in total reported losses from cyber attacks, up from $6.9 billion in 2021. The report also notes “not everyone who has experienced a ransomware incident has reported to the IC3 [Internet Crime Complaint Center].” The report also warns, “ransomware remains a serious threat to the public and to our economy.” This is a concern for both business and educational sectors, as artificial intelligence has the potential to make attacks even worse.

CURRENT CYBER DANGERS

There are a wide variety of cyber dangers for higher education, most notably phishing, ransomware and SQL (structured query language) injections. One notable type of phishing is called “spear phishing,” which occurs when an email that appears to be valid, but isn’t, targets a specific person or department within an organization. Cyber criminals have become very successful in creating “look-alike” emails which are sent to unsuspecting individuals. In August, the security-technology news website Security Today reported that a joint study by a Stanford University professor and the security firm Tessian found that 88 percent of data breach incidents are caused by employee mistakes. While the October cyber message says, “It’s easy to stay safe online,” it’s also easy for unsuspecting people to click on malicious links without pausing to see if they’re real or not.

Ransomware, which can encrypt valuable information and render it useless under the threat of “paying ransom,” is another increasing problem for higher education. A campus ransomware event could effectively stop operations, leak critical information and destroy an institution and personal reputation. According to a 2023 report by the cloud-security company Zscaler, “ransomware attacks increased by over 37 percent in 2023 ... compared to the previous year, with the average enterprise ransom payment exceeding $100,000, with a $5.3 million average demand.” While the most targeted sectors were manufacturing, services and construction, a 2023 survey by the U.K.-based cybersecurity firm Sophos documented that in the last year, “79 percent of colleges said they experienced a ransomware attack. That’s up from 64 percent in 2022 and one of the highest rates of all industry sectors tracked.” In May, Higher Ed Divenoted, “More than half of higher-education institutions targeted in ransomware attacks paid a ransom to get their data back.” This may be a necessary resolution for some institutions who could afford it or had the good fortune to have cyber insurance. Unfortunately, paying a ransom does not guarantee your data will be unlocked.

Another danger, SQL injections, occur when an attacker can bypass password protections on a website or application. As explained on the freelancing platform Toptal, “SQL injections work through exploiting weaknesses in the code underlying input pages (such as username and password login pages) and forcing a given database to return sensitive information.” If a campus doesn’t have proper cyber protections and management of their databases, their data is at severe risk of being compromised or stolen.

CYBER COMMUNICATIONS

Communicating the importance of cybersecurity to a college population can be challenging. Learning to craft a message to specific audiences and using the most effective communication channel is essential. It can be helpful to track cyber messages through graphically rich communication platforms such as Mail Chimp or Constant Contact. Reaching a 40 percent open email rate is quite good, but even then, 60 percent of the intended audience hasn’t even opened the email. Communicating via email isn’t the most effective way to connect to a campus audience.

Creating social media posts, posters and door hangers promoting effective cybersecurity behaviors will greatly add to overall campus messaging. Consider hosting in-person open forums and connecting to residence halls, as well as faculty and student governing bodies. It is also helpful to utilize innovative video messages. One effective video example on YouTube, “The CyberZone The Link to Disaster,” utilizes movie themes to engage audiences. Effective cybersecurity programming is much more than a one-month observance — it’s a yearlong proposition. Plan for it.