Gone Phishing: The Threat Facing Higher Ed Tech Leaders

April 23, 2018  |  by: Todd Yates

As any IT analyst will tell you, phishing is a credible threat to private data everywhere.

Along with malware and ransomware, phishing is among the most common types of cybersecurity threat. Bad actors will go to great lengths to disguise their identity, whether it’s an embedded link in an email that asks for sensitive information or a fake deactivation scare.  Sometimes these threats can be targeted to key individuals – controllers, bursar, registrars – and are based on research the phishers have done on your institution.

As higher ed tech moves from single data storage centers to a hybrid cloud-based infrastructure, leaders in the field are grappling with just how to prevent incidents of phishing from becoming more prevalent affecting their students, faculty and staff.

What are the risks for phishing on a cloud-based platform?

Phishing is a problem in the cloud for the following reasons:

1. External data storage requires more scrutiny because of “ease of access”:

Both the primary benefit and the primary concern for cloud-based data hosting is the ease of access. One of the primary goals for utilizing cloud services is broadening access to those off-campus and to help make it easier to legitimately access campus services.  Conversely, anyone with privileged access to the cloud service has free reign to take whatever confidential data is present in the system.

Cloud computing functions on a decentralized model managed by a third-party data hosting company. A school hires the data hosting company, which owns different servers across a variety of networks. User data from the school is then hosted across these servers, and the school pays for enough storage space to ensure fast processing time. This is how many enterprise systems are built and managed.

From a cybersecurity perspective, issues arise when data is decentralized. Each network has to have its own set of security measures, and not all systems are as secure as others. For the cloud-hosting company charged with monitoring the data, it can be hard to tell the difference between approved personnel and a bad actor posing as approved personnel. The bottom line is that third party monitoring is rife with challenges and, as a result, there are more opportunities for an intelligent cybercriminal to sneak in. As a result of these risks, it is imperative CIOs hire a transparent cloud-service company – one that goes above and beyond in their communication efforts.  

2. Software updates may not be done on time

Third-party negligence is also a factor when it comes to software updates. If the cloud company forgets to perform a software update (or adequately fix a security malfunction), data breaches are far more likely to occur. Once again, CIOs must perform due diligence in the contract process. Transparency, communication, and thorough security infrastructure are important indicators of an excellent cloud-based company.

3. Insufficient Identity Management

Cloud-based companies have a responsibility to ensure their platforms are safe from cyber threats.

But the primary responsibility lies with the customer. Working with a secure cloud provider means very little if you, as an institution, do not have a comprehensive security policy in place. In common oversight made by educational IT departments is an insufficient identity management system.

The goal of identity management is to ensure the right users get access to the appropriate assets at all times. All too often in the ed tech space, IT managers have put three or four permission authorization walls between an authorized user (a student) and information pertinent to them (their class information, etc.).

A fine balance must be struck between ensuring ease-of-use and prevent cyberattacks.

What can Ed Tech leaders do to prevent phishing?

Proactive educational technology leaders have designed some different systems to prevent phishing from affecting their faculty and study body. While every institution poses its own set of challenges, there are a few common strategies deployed by CIOs across the country to deal with cyber threats. These include:

3a. Educate Employees and Students

The primary target for bad actors is the end user. If your student body or faculty are unaware of the risks, then cybercriminals will have a walk in the park. An informational campaign launched around campus detailing the signs of phishing is an efficient way to let end users know that they are the target, and that constant vigilance is needed. A ‘Cyber Mindfulness’ campaign at the University of Dayton is a good example of an educational approach that, along with running consistent phishing tests, can keep users up-to-date.

3b. Develop a Security Policy and Strategy

Every school should update their security policy once a year, as new technologies and cyber threats come into the equation. A well thought out security policy always starts by understanding your vulnerabilities. It could be slow system upgrades, ensuring patches are in place, or poor integration of legacy software with cloud computing. Whatever the issues are, you need to focus on the weakest link before anything else.

Once the weaknesses have been identified, a cloud security strategy can be outlined for the entire IT team to follow. As Kasey Panetta describes, a proper strategy should include:

✓     Setting up appropriate visibility controls

✓     Better requirement analysis

✓     Sophisticated architecture

✓     Flexible risk acceptance

✓     A risk model that reflects the cloud model

 

At rSmart, we took the initiative in 2014 to become and remain compliant with the Cloud Controls Matrix of the Cloud Security Alliance, one of the most comprehensive controls guidelines for cloud-based services.

3c. Put up a SPAM Filter

SPAM filters on every registered email are essential, especially for faculty. A SPAM filter will detect viruses and identify black senders entering the network. It is very common for bad actors to target business officers and faculty because they have access to private or proprietary data.

Conclusion

There is no prescribed method for dealing with phishing. Any extensive network consisting of personal and proprietary data is at risk. The responsibility falls on the shoulders of a proactive CIO who must develop policies, educate the end user and build security measures into the network to mitigate the threat – however it may present itself.

 

Next Article
CampusConfirm, Making Data Compliance A Little Easier. Okay, A Lot Easier.
April 26, 2018 by Delphina Saragosa