Campus Shadow IT: Why Higher Ed is Flunking Cybersecurity 101

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Justine Fox of NuData Security takes campus IT teams to school, and educates how Shadow IT can get their cybersecurity grades up.

I usually start the first day of class by asking my college-level computing engineering students a simple question: How many people back up their computers? The answer is surprisingly few — and even fewer test their backups.

As a higher education instructor, I witness how often routine cybersecurity measures — such as backing up files, keeping devices up to date, and maintaining a strong password — are overlooked or forgotten on campus. That’s true whether you’re in a classroom full of students, a meeting of professors, administrators, and staff, or anywhere else on campus. And the real-world consequences are clear: Nearly two-thirds of higher education institutions were hit by ransomware in 2022 — a massive jump from 44 percent just a year prior. In fact, the latest data from Microsoft’s Global Threat Activity tool shows the education sector reports more malware incidents today than any other industry.

Despite the heightened risk, it’s clear that many colleges and universities are failing Cybersecurity 101. Many students and staff remain woefully unprepared for attacks and unaware of potential threats. At the same time, institutions forgo basic cybersecurity hygiene, security upgrades, and education on digital literacy until an attack occurs. By then, it’s usually too late to act. Developing a strong cybersecurity culture requires schools to take a more proactive approach. Simple steps — like ongoing training, routine testing, and basic cybersecurity hygiene — go a long way toward preventing the next attack before it happens.

Widget not in any sidebars

Cheating the System: How Cyber-Criminals Exploit Human Behavior

Consider all of the sensitive data higher education institutions have on hand. Student, employee, and other personal identifiable information. Payroll, tuition, and financial documents. Medical records, legal documents, and enrollment data. The list goes on and on. Colleges and universities are a treasure trove for cyber-criminals eager to profit at the institution’s expense, whether they are selling information online, opening credit cards under a student or administrator’s name, or taking money out of an institutional bank account. And the damages — both in terms of reputation and financial costs — can be devastating. Take a look at the University of California, San Francisco, which paid a $1.14 million ransom after hackers gained access to the School of Medicine in 2020.

The threat has only grown over the past two years as schools expanded online courses, switched to digital platforms, and adopted an influx of technology tools to aid learning. Bad actors have exploited these new vulnerabilities with alarming success: Nearly three-quarters of ransomware attacks on higher education institutions succeeded last year, the highest rate of any industry. But the most significant vulnerability isn’t the technology itself– it’s the people who use it. A whopping 95 percent of all cybersecurity attacks boil down to human error. And with thousands of students, faculty, and administrators, there’s no shortage of potential risks on campus.

Consider a typical student: They’re probably a little stressed and swamped, running on little sleep and lots of caffeine, and using a patchwork of technology tools and devices to complete their coursework. They may not take the time to update their devices or consider the dangers of sharing information with classmates via third-party platforms, let alone spend the time and energy to verify whether the last email in their inbox comes from a trusted source.

Now, consider faculty and staff: They rely on technology in a different way than their students, but they present no fewer vulnerabilities. For example, faculty members may use unauthorized platforms or services to deliver lectures or permit students to turn in work faster than going through the school’s IT department. At home, they may use their own personal device to access class lists or other sensitive student information.

The do-it-yourself approach to technology — known as Shadow IT — compromises even the best cybersecurity configurations. Colleges and universities often have a particularly hard time reining in Shadow IT. Every department maintains its own protocols and processes, and each staff member has their own approach to the technology they use in class, making it harder for the IT department to find rogue actors and create an organization-wide approach to cybersecurity. All of these factors culminate in students and staff becoming prime targets for phishing, pretexting and other social engineering attacks that take advantage of human behavior to breach defenses and gain unauthorized access to information. However, the very same people can also become the institution’s first layer of defense against such attacks.

There’s No Need for Cramming: Your study Guide to Basic Digital Hygiene

It’s vital for institutions to empower every person on campus to recognize threats, protect their information, and do their part to prevent attacks. Cybersecurity is a group project— and everyone has a role to play.

As students and staff return to campus this fall, here are a few simple steps higher education institutions can take to help defend their technology infrastructure against the next cyber-attack:

1. Create (ongoing) learning opportunities. Students, faculty, and administrators don’t leave the door open for cyber-criminals out of ill intent. They may accidentally download a malicious file because they want to use more convenient digital tools, or mistakenly respond to a phishing email because they want to be helpful. More often than not, people simply don’t understand potential risks — and bad actors prey on this ignorance. That’s exactly why education and cyber literacy can make such a big difference. Your institutions should provide cybersecurity training to every person when they first set foot on campus or log in for online classes— and that training should be ongoing, frequent, and widespread throughout a student or employee’s time at the institution. Once you have training in place, it’s important to test people’s knowledge. That could look like a mock phishing campaign asking students to provide tuition information to an unknown source or an online cybersecurity test for professors before they start teaching each fall. The goal isn’t to shame people or make them feel bad for falling for a scam (it can happen to any of us, I assure you), but rather to create an atmosphere of education, awareness, and engagement when it comes to cybersecurity.
2. Standardize cybersecurity hygiene. When it comes to cybersecurity, the little things make the biggest difference. Basic cybersecurity hygiene — including devising secure passwords, using multi-factor authentication (MFA), and routinely patching and updating defenses — are among the most effective measures your institution can take.. Your IT department should implement those standards across your systems, platforms, and apps. Security configurations should leave little room for end users to personalize or customize settings. For example, consider implementing requirements for users to update their password every few months and restrictions that prevent staff from bypassing your firewall. While these restrictions may lead to some frustration among students and staff, standardized security procedures ensure that digital best practices are in place across your institution. Granted, there are instances when security precautions fall to the individual — and that’s why providing education and training for students and staff is so vital. But generally, the more precautions you can take out of the hands of individuals, the better.
3. Don’t procrastinate. Be proactive. Much like studying for a test or writing a paper, bolstering your cyber defenses happens best in small incremental steps. Instead of procrastinating and waiting until a potential threat materializes, your institution needs to take proactive measures to prevent a threat from becoming a successful breach. New technologies can ingrain proactive defenses into your security configuration. In particular, device intelligence technologies can identify trusted devices that access your online services regularly while increasing friction for bad actors. For example, behavioral biometric verification helps verify returning users’ identities and detect suspicious behavior coming from bad actors or automated bots — allowing you to trigger additional security steps as needed. Behavioral biometrics work by analyzing users’ actions’ (how they type, the way they move the mouse, or where they log in from) as well as their habits (the time of day they usually log in or how long they spend online) to verify identity without prompting the user to type in a password or take other steps. Likewise, sophisticated device tooling can recognize a returning device and link that device to an authenticated account — creating a unique user-device pairing that enables a more seamless sign-in experience. New user-device pairings, meanwhile, prompt identity verification through MFA or one-time-password (OTP) codes. These tools, like all strong cybersecurity measures, require an upfront investment. But preventing a cyber-attack before it happens pays dividends in the long run.

Cybersecurity probably isn’t top of mind when you’re preparing for a mass of new students to arrive on campus in the fall. I get it. But when you’re stuck dealing with the fallout of a data breach or trying to retrieve files from a compromised device, you learn your lesson the hard way. It doesn’t need to be that way. By practicing basic digital hygiene and adopting a few simple precautions, students and staff can focus on the most important part of higher education: learning.

Whether it’s backing up your laptop or providing campus-wide training on social engineering tactics, cybersecurity is all about preparation, education, and diligence. The question is: When the next threat emerges, will you be ready to ace the test?

Widget not in any sidebars