Skip navigation
Research Report

How to engage your campus in a security-first culture

We’ve long known that higher education institutions are vulnerable to cybersecurity attacks given their rich data sets and distributed and changing population of end-users. But recent movements to the cloud and the pandemic-induced transition to remote and hybrid work has expanded the perimeter that already-strapped IT units need to protect.

Cyberattacks have increased both in frequency and ferocity, leading to compromised operations, leaked personal data, multi-million-dollar losses, and even school closures. Now more than ever, IT leaders and their teams need the support of boards, cabinets, and the overall campus community to improve their institutional security posture and protect their institutions from devastating attacks.

Our recent executive roundtable, Developing a Security-First Campus Culture, offered CIOs the chance to collaborate and discuss ways to tackle these very challenges. Read on to learn about some of the roundtable takeaways that are most useful for institutions, or download the slides from the roundtable.

Download Session 1 Slides Download Session 2 Slides

 

Review the Key Takeaways

 

1. Three main challenges to building leadership commitment to enterprise-wide security

  • “”

    Security risks are not appropriately elevated

    IT leaders often struggle to get leadership to perceive cybersecurity as an institutional risk rather than an IT concern. This is partly because leadership often lacks sufficient awareness about the risks they need to weigh in on while the responsibility for action solely falls on the CIO or the CISO. As one CIO told us, “We lack a systematic way of involving non-IT leaders in assessing, accepting, or mitigating risks for the institution.”

    Institutions can address this issue by creating an enterprise-wide risk-assessment system where the highest-priority risks are proactively elevated to highest levels of leadership, including cabinets and boards, for mitigation or acceptance.

  • “”

    Leadership lacks decision-making preparedness

    When risks inevitably become incidents, leaders often lose valuable time and make suboptimal decisions because they are not adequately prepared. Organizing executive-level table-top exercises can provide cabinet leaders with the opportunity to flex their decision-making muscles prior to incidents.

  • “”

    Distributed stakeholders flout information security policies

    Finally, boards and cabinets can help CIOs protect institutions by empowering IT to enforce compliance with security policies across campus. At Virginia Tech University, the board clearly articulated in a resolution that the “vice president of IT has the full authority to establish and ensure compliance” with IT security policies and set the expectation that “departments are obligated to support” the vice president on IT’s security policies.

2. Improving end-user engagement in security

When we look at the origination of cyberattacks, a majority of the time, breaches are a result of human errors. Boston Consulting Group recently conducted an analysis of 50 major attacks in 2021 and found that 77% of the time, these breaches are the result of organizational, process, and people failures. Only 23% is due to inadequate technology. So, our security trainings must get at the heart of where people trip up—whether it be through phishing, spear phishing, spoofing, or simple mistakes when it comes to sharing data.

Traditional training strategies such as annual, one-size-fits-all training with no penalties for non-compliance are no longer sufficient. Components of effective training now include:

  • 1

    Gamified training platforms

    Ohio State University provides the option to end-users to take trainings as if it’s a game, on their own time and pace, across the year using the Cybersecurity4You platform. Users earn points for completing training, and those points help them achieve up to five levels, which translate to rewards ranging from charitable donations to digital subscriptions.

  • 2

    Department-tailored training

    InfoSec teams from Arizona State University connect with individual departments to discuss their units’ specific business needs and the types of training messages that will resonate best with their units.

  • 3

    Mandatory training with non-compliance penalties

    One of the best examples comes from Barry University, where their president sent an email out to all instructors and staff in summer 2021 announcing the new annual security training policy, and communicated clearly that if they fail to comply, they will have their network access suspended until the course is complete. They also ensured everyone carve out time for the trainings by allocating an additional “summer half-day” to all instructors and staff as an incentive for doing the trainings.

  • 4

    Measuring training performance with monthly self-phishing campaigns

    Fairfield University recently saw a dramatic decrease in their failure rate by the tenth month of conducting monthly self-phishing campaigns, despite sending out more sophisticated phishing emails.

This resource requires EAB partnership access to view.

Access the research report

Learn how you can get access to this resource as well as hands-on support from our experts through IT Strategy Advisory Services.

Learn More

Already a Partner?

Partner Log In