Training, testing are key to cybersecurity

By Matthew Dembicki

Regular training for employees and students can keep hackers away from sensitive data.

It’s early evening, and you get an email from your college president saying she is at dinner with a potential donor and misplaced her credit card. You’re asked to pay for the bill electronically by clicking on a link in the email. But you notice the email didn’t come from the college’s system, but rather from a Yahoo account.

If you’re properly trained, you won’t click on the link but flag the email to report to your system manager, who should follow established protocols. If you’re not well-trained and you click on the link, well, you may have just opened a path for a thief to enter your college’s entire computer system, exposing personal information of students, employees and others.

This is an actual exercise that cybersecurity experts advise all businesses — including community colleges — to undertake. That’s because it’s usually an unintentional but avoidable human mistake that exposes an institution to cyber theft.

Technology won’t protect you

Cybersecurity experts speaking this week at the fall meeting of the American Association of Community Colleges (AACC) in Arlington, Virginia, all stressed the importance of regular training for employees and students to keep hackers away from sensitive data.

“Don’t rely solely on technology to solve the problem. It won’t work,” said Lee Congdon, senior vice president and chief information officer at software company Ellucian.

Others agreed that technology itself won’t keep hackers at bay.

“It’s never a technology conversation; it’s a people and processes conversation,” said Lee Petry, a senior manager at VM Ware, a software subsidiary of Dell Technologies.

Hackers are becoming more sophisticated in their attempts to penetrate security, and colleges and universities are prime targets because of the vast personal data they hold, including bank account information, medical records and social security numbers. For example, thieves now send emails that look like authentic documents from a college president, complete with a college logo and signature.

“If you haven’t had one yet, you will,” said Josh Sosnin, vice president and chief information security officer at Ellucian.

Practice, practice, practice

In addition to training, experts recommend live drills, similar to emergency drills on campus. This should include presidents, payrolls clerks, information technology staff, human resources, financial aid staff, the billings department and other “high-risk users,” meaning positions that thieves know could provide them access to sensitive data.

The exercise should test not only prevention but also response if there is a breach. For example, it’s a long holiday weekend and the college’s system has been comprised. The college president cannot be reached. Does everyone know the correct steps to follow?

“You think it’s someone else’s problem until it becomes your problem,” said Brent Knight, president of Lansing Community College in Michigan, who noted his college is “constantly pinged” as hackers look for vulnerabilities that will allow them into the college’s system.

Some employees may balk at such exercises, but college CEOs must stress their importance. In fact, at some colleges, employees don’t get access to systems until they take mandatory training.

“The tone from the top is extremely important,” Sosnin said.

There’s more to the story! Read the full article—and get more valuable information—in CC Daily.

Matthew Dembicki

edits Community College Daily and serves as associate vice president of communications for the American Association of Community Colleges.