4 COVID-era cybersecurity threats CISOs are confronting
The cybersecurity challenges colleges and universities face during the COVID pandemic are growing more in scale than in style, a panel of higher ed chief information security officers said Wednesday.
An increase in phishing attacks, efforts to steal COVID research, and a sharp rise in the number of employees working remotely are among the top challenges, the CISOs said in a webinar hosted by the cybersecurity company, Proofpoint.
“The underlying risks haven’t changed that much,” said Helen Patton, CISO at The Ohio State University. “We were already dealing with remote workers … what has changed is the proportion of people in those situations.”
Here’s how Patton and two of her colleagues said they are leading their institutions in confronting the evolving cybersecurity threats:
Phishing attacks seek to gain access to an institution’s network by tricking a user into sharing passwords and other personal information.
More from UB: How 2 campuses share advanced software with students
Similar attacks attempt to convince users to click on a link that will download malware onto a computer that will allow hackers to infiltrate a college and university network.
“We recognize phishing as the single greatest threat to privacy and security today,” said Michael Tran Duff, CISO at Stanford University.
Higher ed CISOs shouldn’t assume all students are experts all at things tech. While they may have mastered social media or gaming platforms, they may be less adept at maintaining online security, Patton added.
Ohio State regularly phishes students and faculty as way to train all users to spot threats. Standford also prioritizes phishing its users regularly but Duff said that has limited efficacy.
Automating email systems to spot phishing attacks before they ever land in an user’s inbox is the ultimate goal for higher ed CISOs, he said.
2. Remote workers
The rapid growth and acceptance of remote work present new opportunities for colleges and universities. For one, it expands the talent pool universities can hire from, Duff says.
Of course, securing remote devices is not as easy as protecting computers on campus. Stanford has therefore launched “Cardinal Key,” an institution-wide initiative to go “password-less,” Duff said.
A Cardinal Key is a digital certificate that is installed on a device and provides a user’s identity to a remote server, the university’s website says.
More from UB: Why a college is sharing its digital COVID checker
Ohio State has “doubled down” on security awareness as more students and employees work remotely. These efforts include reminders about not using the same password for multiple sites and regularly updating operating systems.
“If we can help people be secure in their personal purists, they’re going to bring that thinking to being secure for the university,” Patton says.
3. Protecting research
The FBI has warned institutions of attempts to steal COVID research, says Erik Decker, chief security and privacy officer at University of Chicago Medicine.
This environment can be jarring to researchers who, by the very nature of the work, share information with other scholars throughout the process, he said.
“It’s a super delicate balance,” Decker said. “Research is about generalizable knowledge, giving back to the world, but we can’t just open the door and let any country walk in and steal the stuff.”
One vigorous cybersecurity technique that is gaining traction in higher ed is called “zero trust,” which strictly limits access to networks and requires extensive verification.
A shift to this level of protection will require buy-in from institutional users, Patton says.
More from UB: How about using a digital avatar on a virtual campus?
“In higher ed, we’re all are about throwing open doors, sharing our knowledge with work, and trusting everybody,” Patton says. “To say don’t trust anybody, validate everything, is a message that really clangs.”
4. Digital hygiene
Low-tech awareness remains a key component of cybersecurity.
As colleges and universities make ever heavier use of videoconferencing—with hackers attempting to infiltrate those sessions— instructors must be cognizant of the information they’re giving out during virtual classes, Patton says.
“When you’re sharing with a class of 30 students, you can’t assume it’s only those 30 students in the room,” Patton says.
Campus CISOs and their teams can also remind students—and parents—to be more cautious about the information they share online.
Campus CISOs also will face more demand to vet new software that instructors want to use in their courses.
UB’s coronavirus page offers complete coverage of the impacts on higher ed.