With cyberattacks on the rise, school leaders need to stay ahead of the risk curve. Technology products and services hit the market constantly, and keeping up with all the options and emerging risks is a daunting task.
Many higher ed institution leaders feel that they don’t have any information worth stealing, which is simply not true. One of the most prevalent types of cybercrime is not hackers stealing information or assets; it’s hackers denying you access to your information or assets and forcing you to pay to recover access. If hackers can disrupt your business and prevent you from working, they can try to extort money from you.
If the hacker’s request is small enough, many institution leaders figure that it’s less expensive to pay a couple of thousand dollars to get to a quick recovery than to perform their own more time-consuming recovery. However, if you pay an extortionist, your institution can be flagged as a soft target, and you could face additional attacks.
Here are two key ways leaders can protect their schools from cyberattacks:
Educate your staff
Most phishing and social engineering exploits take advantage of staffers who are not paying attention or are too trusting of the source. For example, many viruses evade detection by being in a password-protected file; the sender says it’s for security reasons, and the staffer doesn’t question why the password is being shared in the same email. To combat this, staffers should undergo ongoing cybersecurity training that includes testing to determine training’s effectiveness.
There are very effective phishing testing services that not only evaluate who clicks suspicious links, but also help reinforce the training by pointing out how the person could have detected that the message wasn’t legitimate.
However, many institution leaders are reluctant to call out bad behavior, much less reprimand their staff for making careless mistakes. Administrators need to accept that sometimes they need to “fail” staffers. No one wants to be the reason that their school is shut down or loses critical data due to one careless click.
Plan for recovery
In the event of an attack, a school administrator needs to know how long it will take to recover and what level of business interruption they can expect during the response. Administrators often underestimate the recovery time for key systems, in part because they haven’t properly verified the processes. The worst time to discover that your systems are not adequately backed up is after a loss.
Many school leaders feel that their backup systems are adequate, yet it is always wise to get external validation and make sure all possible scenarios that could impact a school are considered. Having a solid understanding of the recovery options reduces the need to even consider paying an extortionist, or to have to explain why the organization had a significant business interruption.
Every school leader needs to take cybercrime seriously. Your school is a target, and is becoming a more compelling target every day. The old thinking was that you didn’t need to have perfect security; you just needed to be harder to hack. This is no longer the case, as hackers are targeting every organization with increasingly sophisticated attacks.
Educating your staff is your best and most powerful firewall. Social engineering and tricking staff into bypassing security systems is one of the largest threats to every organization. Take the time to educate your staff on the risks, and be relentless in correcting bad behavior for the greater good of the institution.
Finally, understand your recovery options, and make sure that they’re not dependent on only one person. This is one area where getting external help can be particularly valuable. We all think that our own instructions are perfect and easy to follow. But following them during an emergency, can be a different matter altogether.
George Breeden, a certified association executive, leads the Nonprofit & Association Practice at Hartman Executive Advisors. Hartman is an independent technology leadership and advisory firm that works to align institutional goals with IT strategy.