By François Amigorena, CEO, IS Decisions
To any IT security person working within a university, students are one heck of a headache. Old enough to make adult decisions but young enough to make naïve judgments, students pose a security challenge akin to holding water in a sieve.
Despite being digitally savvy and the future of the workforce, students often regard IT security as a barrier rather than a safeguarder — much in the same way as perhaps they view their parents in some situations. While mom and dad may know best, children will often do what they want to until something bad happens.
Arguably, it’s the same with cybersecurity. Until a student personally experiences the theft of their own data, which costs them money or causes any kind of hindrance, convenience is likely to be much more important than security.
And then the IT practices that are taken for granted by most employees by the time they turn 30 falls to the wayside.
The stats back up these assumptions. While 70% of higher education students are aware of the threats of cybercrime, most (80%) aren’t concerned by cyberattacks, and 65% don’t see cybersecurity as their concern.
These findings go some way to explaining students’ poor security habits. Many problems stem from poor password practice. For example, many students will use the simplest and easiest-to-crack passwords — sometimes the same one for all their accounts.
Indeed, a report analyzing more than 5 million stolen passwords in 2016 found a huge number of “ridiculously insecure” passwords, including ‘123456’ and even ‘password’.
And even when they may use simple passwords, those same students will forget or lose their login details, meaning they borrow their friends’ logins to do their work. IS Decisions research, for example, found that nearly 35% of those aged 16–24 have shared their password with at least one other person, compared with the average figure across all ages of 23%.
Aside from password practice, many students may also feel that it’s ok to leave their laptop logged in unattended in the library when they go out to take a break.
They’re not necessarily bothered about how they access their files and systems, provided they can do it quickly — and you can hardly blame them for the practices they adhere to if they’ve neither been trained nor had to suffer the consequences of a breach.
When many of today’s cyberattacks occur as a result of compromised credentials, this kind of lax security poses a real worry to IT teams within universities.
University systems are likely to hold the healthcare records, university files, bank details, addresses, phone numbers and much more for each student — and the practices by the students themselves are risking that data to exposure.
This combination of slack security and valuable information is a gold mine for cybercriminals and a nightmare for IT professionals working in universities to protect students.
To put things into context, a recent report by Dark Reading uncovered that thousands of stolen and fake student, faculty and alumni email credentials were available to buy on the dark web.
The usernames and passwords were linked to 300 of the largest and most well-known universities in the US. And with prices ranging from anywhere between $3.50 to $10 per email address, it’s clear that these credentials are in high demand.
University IT teams, therefore, must do more to protect their students, which is hard enough when the students barely help themselves.
Education with regards to cybersecurity is obviously key, but there’s only so many students will take in before lapsing back into bad habits. And those who do change their ways are still human.
They’re still prone to making mistakes like clicking on a link in a phishing email and giving up their university login credentials unknowingly.
So, what can you really do to better protect students?
Prevention is better than cure
In the past, IT teams within the education sector have only implemented security policies as a reaction to a breach, rather than pro-actively and pre-emptively put policies in place. That needs to change — in particular, to protect against compromised logins.
To better protect education institutions and monitor for potential threats, IT teams must take preventive measures to implement a network access control and identity management system that stops hackers in their tracks.
The future of identity management is, therefore, context-aware security. Context-aware security verifies the legitimacy of a login based on more information than just the correct username and password. This type of security analyses the time, the location, the device, the IP address and other contextual factors surrounding a login.
Based on that information, IT administrators can set rules that restrict logins to only those that don’t look suspicious.
For example, if the login details of a student at Harvard falls into the hands of an attacker based in China, the system can deny access because the login attempt is happening outside of Massachusetts — even if the attacker is using the right username and password.
This kind of security protects students against the consequences of phishing attacks and halts dangerous concurrent login practices, all without hindering the student or slowing them down.
It stops attackers from gaining entry and stealing valuable data or uploading ransomware. It provides the same strength security as multi-factor authentication without any of the hassles because the security simply acts in the background.
It protects against lax behavior and gives the university’s IT team peace of mind that those logging in to university systems are exactly who they say they are. It’s a win-win situation for both students and IT teams.
Context-aware security is, therefore, the future of protecting university IT. It’s the form of protection that students want, and IT teams need.
About the Author
François Amigorena is the founder and CEO of IS Decisions and an expert commentator on insider threat issues.
IS Decision is a provider of infrastructure and security management software solutions for Microsoft Windows and Active Directory. The company offers solutions for user-access control, file auditing, server and desktop reporting, and remote installations.
Its customers include the FBI, the US Air Force, the United Nations and Barclays — each of which rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX and FISMA; quickly respond to IT emergencies, and save time and money for the IT department.