As seen on Les Experts Tech...
Universities have realized that cybersecurity is a major issue. Given the value of the data they hold, they have become a prime target for attacks that can come from both outside and inside. These threats are not ignored. This is evidenced by the efforts made to protect networks and equipment on campus and the significant increase in the budgets allocated to cybersecurity in higher education in recent years.
Admittedly, these initiatives are positive. But what too few actors in higher education (or other sectors) realize is that cyberthreats are constantly evolving. Today, cybercriminals increasingly target the vulnerabilities of individuals, not just technologies. These individuals are academic staff, but also students who, for a variety of reasons, may be particularly vulnerable to more and more sophisticated forms of social engineering.
The malicious actors multiply the techniques of approach to trap their victims. For example, they send out more and more realistic phishing emails, use fraudulent applications or impersonate university officials to get people, even the most vigilant, to click on a malicious link or download a piece of information. attached corrupt. Setting up defenses such as firewalls or antivirus helps protect individuals. But the most effective strategies for cybersecurity are those that also take into account the need to build resilience in individuals, through training and awareness programs. Without this level of consciousness, there will always be someone, staff member or student somewhere
Training and awareness programs are generally designed to learn how to increase vigilance and be the last line of defense against attacks targeting an organization. The simulation of phishing attacks and the use of gamification programs are really effective in preventing individuals from becoming victims of a cyberattack. Unlike other organizations, universities have to deal with the large target rotation of these attacks, in other words students, who may be particularly vulnerable to phishing attacks, especially those who are entering the university for the first time this fall. Email is a communication channel favored by universities, loan and housing organizations,
When looking at threats to students, it is easy to deny the responsibility of advocacy as an individual issue. Universities need to look at the degree of student interaction with digital networks and services on campus. Students use their own laptops and other mobile devices that do not fit within the security perimeter established by the university. They connect to centralized university systems and access critical data as part of their studies. An error - a click on a malicious link at the wrong time - can cause significant damage. Knowing this, putting in place an effective, structured and inclusive student program is a very worthwhile investment.
Some higher education organizations in the United States have already taken steps to introduce training and awareness programs for students and not just for staff. For example, Carnegie Mellon University (CMU) in Pittsburgh, which has about 1,400 staff members and 14,000 students, found in its own research that 18-25 year olds are particularly vulnerable to phishing attacks. Add to this that attacks are becoming more sophisticated and increasingly bypass antivirus filters, the university considered that it was necessary to educate the entire community of users.
The CMU has set up a program based on advanced phishing simulations, allowing administrators to assess the vulnerability of users to social engineering practices. When users are trapped by an attack simulation, the system logs their error and triggers real-time learning sequences, explaining how to avoid being trapped by similar attacks in the future. Once the proven effectiveness of the program for staff, the university has deployed two campaigns dedicated to students. These campaigns incorporated complementary game-based training modules, teaching users to identify fraudulent web links on social networks. The advice given to users after the phishing attack was simulated reduced the number of participants trapped by phishing by 50%. From now on, CMU integrates gamified training into its program and all first-year students are required to take these courses as part of an e-learning program.
In the face of increasingly sophisticated threats targeting individuals and not just technologies, French higher education stakeholders must clearly re-evaluate their approach to cybersecurity. Campuses are places to connect and share ideas. Technology should facilitate this instead of placing students in a rigid security straitjacket. If universities fail to properly orient their security strategy, universities may turn their backs on the real threat. Developing the resilience of students in the face of cyber threats is an investment not to neglect because it concerns the university as a whole.