Dive Brief:
- "Social engineering" scams such as phishing, which rely on manipulating users to reveal information, remain among the top cybersecurity threats in higher education, as a 2016 tax return scam at Virginia's Tidewater Community College highlights.
- At Tidewater, a finance employee was tricked into compromising the names, social security numbers, earnings, withholding and deduction information for over 3,000 current and former employees by a person emailing from what looked like a supervisor's official campus account, University Business reports.
- Alongside preventative measures like two-factor authentication, campuses are also expanding educational programs to ensure students, faculty and staff aren't duped by increasingly sophisticated cybercriminals.
Dive Insight:
The massive amount of valuable data held by institutions — from personal information to intellectual property and research — makes them an attractive target for cybercrime. And phishing scams have only become more complex, with the millions of .edu email credentials recently found to be available for purchase on the "dark web" only likely to further complicate matters.
But education and awareness programs remain the best measure of prevention when end-users are most likely to be the weakest link in the line of defense. At the University of Dayton, Associate Provost and CIO Dr. Thomas Skill launched a proactive, yearlong campaign around "cyber mindfulness" to engage faculty, students and staff in the habit of considering everything they do as a potential security risk. This measure included running regular phishing tests using a company called KnowBe4, sending updates and warnings and the latest security news, and offering incentives and prizes for people to complete certain actions.
And while two-factor authentication is a good line of defense in preventing email or other vulnerable logins from being hacked, institutions might also consider requiring members of the campus community to simply call the department or person in question if a request seems suspect.