Top Lessons from the Study
Getting campus to "threshold awareness" the biggest leverage point
Small to medium-sized breaches are a question of when, not if, because higher education institutions, highly decentralized and full of diverse information sets, are a data-rich soft target.
Often-cited reputational risks are arguably overstated in the mainstream media; little evidence exists that data breaches risk student enrollment, but a stronger case can be made for research, advancement, and state legislature oversight.
The more significant and likely cost is recurring expense from small breaches (i.e., less than 10,000 records) creating business distraction and remediation expense.
The biggest opportunity to reduce an institution’s risk profile is not by strengthening controls against malicious actors, but instead by educating faculty, students, and staff to stop being “unintentionally unsecure” and to practice basic security hygiene.
Why do current security efforts fall short?
Most security education programs have a mass-marketing bias; they use ubiquitous cues, humor, and shock value to “get noticed” by busy constituents rather than trying to sustain behavior changes.
In addition, awareness efforts lack relevance for end users; they come from the central IT office and focus on institutional consequences, rather than originating from managers or colleagues and focusing on individual work and department risks.
Finally, security awareness efforts are episodic and reactive; delivered as a campaign or in the hurried aftermath of a breach event, campaigns have to start all over again every term with new students and staff.
Foundational requirement: Hardwiring breach response
The single biggest preventable security management problem is not having well-defined processes in place for triaging, escalating, and communicating security breaches. Schools lacking such processes have to educate a broad range of stakeholders in moments of crisis, incurring unnecessary remediation expenses and bad PR.
To combat this issue, some institutions are not only creating breach response processes, they are also appointing a Breach Response Leader: a single owner who temporarily drops everything to focus on response, and who is tasked with correctly and quickly executing process.
Tailor security risk education to different end users' "hot buttons"
Security teams are finding success by creating replicable processes for making security education relevant to the different incentives of boards, faculty, students, and staff.
One successful practice is to link board education to high-profile stories in trade press. Private-sector incidents can be used for just-in-time education about the nature of threats and adequacy of current institutional protections. Security teams can also create unit-level security profiles referencing “live” faculty projects, illustrating how unsecure behaviors can threaten individual faculty grant funds, research data validity, and ongoing scholarship. Existing security trainings can be repurposed to teach employees and students better security practices for their personal devices and information; the habits they learn for their own digital safety will encourage them to employ better security behaviors at all times.
Demonstrate vulnerabilities: Show end users "this could happen to you"
Creative security teams are reusing existing security monitoring efforts to educate units and individuals about avoiding vulnerabilities. Sharing results of DLP monitoring and board security heat maps, and showing units how they fare against university norms are low-risk, high-value practices. Just sharing the information can change behavior, as no one wants to perform worse than their peers.
Demonstration hacks and self-phishing provide even more individualized evidence of vulnerabilities by showing end users the tangible things they could lose through unsecure behavior. While there can be downside risks of employing such practices—end users may feel tricked and react negatively—successful programs say these risks can be mitigated with proper “pre-wiring.”
Incentivize secure decisions: Appeal to carrot-and-stick incentives of leaders
Our research did not find many IT groups charging back the costs for security breaches to units. Most breaches result from multiple points of failure and innocent, first-time offenses, and it’s not worth disrupting relationships with charge-backs. Those who do charge back for breaches do so sparingly, only for incidents traceable to individual units and repeat offenders who have consistently failed to adhere to basic security practices. The purpose is not to recover costs, but to get deans’ attention and encourage them to personally enforce standards going forward.
Successful programs get positive buy-in from deans and department chairs for new cyber risk mitigation policies by appealing to financial and mission incentives alongside reduced department-level vulnerabilities. In addition, security teams can offer perks to academic leaders to get them on board.
Elevating Security Awareness
Security Awareness Diagnostic