It’s early evening, and you get an email from your college president saying she is at dinner with a potential donor and misplaced her credit card. You’re asked to pay for the bill electronically by clicking on a link in the email. But you notice the email didn’t come from the college’s system, but rather from a Yahoo account.
If you’re properly trained, you won’t click on the link but flag the email to report to your system manager, who should follow established protocols. If you’re not well-trained and you click on the link, well, you may have just opened a path for a thief to enter your college’s entire computer system, exposing personal information of students, employees and others.
This is an actual exercise that cybersecurity experts advise all businesses — including community colleges — to undertake. That’s because it’s usually an unintentional but avoidable human mistake that exposes an institution to cyber theft.
Technology won’t protect you
Cybersecurity experts speaking this week at the fall meeting of the American Association of Community Colleges (AACC) in Arlington, Virginia, all stressed the importance of regular training for employees and students to keep hackers away from sensitive data.
“Don’t rely solely on technology to solve the problem. It won’t work,” said Lee Congdon, senior vice president and chief information officer at software company Ellucian.
Others agreed that technology itself won’t keep hackers at bay.
“It’s never a technology conversation; it’s a people and processes conversation,” said Lee Petry, a senior manager at VM Ware, a software subsidiary of Dell Technologies.
Hackers are becoming more sophisticated in their attempts to penetrate security, and colleges and universities are prime targets because of the vast personal data they hold, including bank account information, medical records and social security numbers. For example, thieves now send emails that look like authentic documents from a college president, complete with a college logo and signature.
“If you haven’t had one yet, you will,” said Josh Sosnin, vice president and chief information security officer at Ellucian.
Practice, practice, practice
In addition to training, experts recommend live drills, similar to emergency drills on campus. This should include presidents, payrolls clerks, information technology staff, human resources, financial aid staff, the billings department and other “high-risk users,” meaning positions that thieves know could provide them access to sensitive data.
The exercise should test not only prevention but also response if there is a breach. For example, it’s a long holiday weekend and the college’s system has been comprised. The college president cannot be reached. Does everyone know the correct steps to follow?
“You think it’s someone else’s problem until it becomes your problem,” said Brent Knight, president of Lansing Community College in Michigan, who noted his college is “constantly pinged” as hackers look for vulnerabilities that will allow them into the college’s system.
Some employees may balk at such exercises, but college CEOs must stress their importance. In fact, at some colleges, employees don’t get access to systems until they take mandatory training.
“The tone from the top is extremely important,” Sosnin said.
It’s also important to train students on how to securely use the college’s email and other systems, which can be done during student orientation, said Monique Umphrey, vice president of workforce innovation and dean of information technology at Cuyahoga Community College in Cleveland, Ohio. Aside from protecting the college, training students teaches them to be “good digital citizens” and provides them with skills that can convey into their careers, too.
Scott Feinstein, senior director of public sector at VM Ware, emphasized that college students and adjuncts come and go, but the training must be continuous and consistent.
A breach doesn’t have to come from an email. It can come from other sources, such as mobile devices or even thumb drives. Umphrey noted an employee can come across a thumb drive in a parking lot and plug it into their computer to find out who may own it. He may see a file labeled “payroll” and out of curiosity click on it. Bam — that person did exactly what a thief hoped he would do, providing a portal to enter the college’s system.
With the proliferation of devices, it’s important for colleges to share policies about using devices that employees and students bring to campus, Feinstein said. A college doesn’t want to cut off the use of those devices, but it should limit access to certain data. He highlighted an incident at a university where a professor was trying to secure a grant from a potential donor, who requested personal data about students. The professor sought the information, but he did not have access it, and his search was flagged.
The issue of cybersecurity was a topic at several of the AACC commission meetings, and at each one training and education were emphasized as part of the protection process.
“Prevention, even though expensive, is always going to be less costly” than remediation after a hack, said Maria Harper-Marinick, chancellor of the Maricopa Community College District in Arizona and a member of the AACC board of directors.