Higher Education Innovation In Action

Cybersecurity Awareness - Educating Staff and Students About Phishing

CS Staff May 25, 2017

Two major security breaches have been in the news in recent weeks: a phishing attack that targeted millions of Gmail users, and a ransomware attack that hit dozens of countries, including the UK where it crippled the National Health Service (NHS) for a time. Although cyber-attacks don’t always make the headlines, they happen with alarming frequency at colleges and universities. Higher ed has long been an attractive target for hackers due to its information-sharing ethos, a wealth of sensitive data on file, and a BYOD (bring your own device) culture that keeps technology decentralized and difficult to regulate.

But technology can only go so far. No matter how secure your network may be, your end users are the first line of defense in an attack. That’s the main message behind leading cybersecurity awareness programs, and it’s why colleges and universities around the country have stepped up efforts to educate staff and students about phishing. Last month, University Business magazine took a look at what some institutions are doing to raise awareness.

Simulated Phishing Attacks

One of the most popular ways to educate students and staff is through simulated phishing, according to the article. Some schools develop phishing campaigns in-house – IT staff send out a fake phishing email with an embedded link, and any user who clicks the link is taken to a web page that informs him or her of the simulation and offers further educational information.

Other schools partner with outside vendors like KnowBe4, which specializes in security awareness training and phishing simulations. The Florida-based firm offers videos, games, posters and other products that can be customized to fit the needs of many types of organizations.

Additional Techniques to Raise Awareness

The article also suggests a few other ways that schools can communicate the importance of cybersecurity. For example:

  • Schedule annual presentations for incoming freshmen
  • Send out campuswide email alerts any time there is suspicious activity
  • Hold a “security awareness day” with engaging and fun activities for students

Bolstering the Technology

Of course, technological security is still an important piece of the puzzle, and while schools are educating users, they’re also requiring multifactor authentication for logins, reinforcing firewalls, and monitoring spam filters to ensure malicious messages are caught.

Phishing Simulation Tips

If you’re interested in launching phishing awareness training at your school, whether it’s in-house or through a third-party, keep in mind that a well-designed simulation should:

  • Present users with a realistic type of cyber-attack
  • Include a follow-up meeting for end users and IT personnel to discuss the results of the campaign (for example, the percentage of users who fell for the simulation) and how to avoid scams in the future
  • Prompt further security training based on the results

The ultimate goal of a phishing drill is not to trick or embarrass your staff or students, but to educate them so they can better protect themselves, and, by extension, your systems and network.