The majority of college students are not aware of any cybersecurity breaches at their institutions despite most IT departments on campuses reporting such incidents, according to a recent report from CDW-G.
A survey of 250 higher ed IT professionals and 300 students reveals that 91 percent of IT professionals who have experienced a cybersecurity breach say they have communicated the news to the student body, yet only 26 percent of students say they are aware of the incidents at their institutions.
“I don’t think we’ve done a good job of crafting the narrative and telling the story of cybersecurity,” says Michael Corn, chief information security officer at the University of California, San Diego. “College is usually the first place students interact with administrative types of systems and learning management systems, so it’s a real change for them.”
Although many institutions have mandatory cybersecurity training for faculty and staff, very few—if any—do so for students.
Students do not have access to sensitive university information such as payroll, and the scale of a small IT staff providing training for thousands of students often makes such a practice prohibitive, says Michael Dinger, a cybersecurity researcher who is an associate professor of management in the Johnson College of Business and Economics at the University of South Carolina Upstate.
“The mechanics of actually getting students to do any training and take it seriously is really difficult,” Dinger adds.
Large-scale training can be done online, but finding effective platforms and incentives that engage students can be a challenge. Training during first-year orientation, while logical, may also not be successful as students are usually bombarded with information and cybersecurity does not always make a strong impression.
“You hear a lot of people say students don’t care about privacy, and that’s simply not true—they just view it through a different set of lenses than someone over 40,” says Corn, also a co-chair of the higher education information security council of Educause.
To improve communication regarding cybersecurity, IT departments should:
- Partner with academic departments to cover the subject in classes, such as with guest lectures. Corn says students are most ready to absorb information in the classroom, and speakers can create a stronger message if they have the support of professors.
- Implement two-factor authentication, where users need a code in addition to a password to log in, says Corn. This should be over and above standard protections of reminding students to develop a strong password, to not share passwords, and to keep software security patches updated. Currently, only 39 percent of institutions require two-factor authentication, according to the CDW-G report.
- Take a more “mindful” approach to security, since hackers continually evolve to stay ahead of security measures. Rather than bog down students with specific rules, Dinger says, focus on making them more aware of risks, such as any email they receive that asks them to send a file or personal information.
“The more we can do to educate our students—not only to protect our own systems, but to set them up in life to protect themselves—the better,” says Dinger.