Strengthening Higher Education Cybersecurity — Insights You Should Know
REN-ISAC Q&A with Julie Moog, Managing Director for TIAA’s Cybersecurity and Fraud Management Organization
Note: Thank you to TIAA, one of REN-ISAC’s amazing partners, for helping to bring the highest level of cybersecurity awareness and information to our members and the public.
Julie Moog is the Managing Director and Executive Information Security Manager for TIAA’s Global Cybersecurity and Fraud Management organization. In this question-and-answer article, she shares new insights on how you can strengthen cybersecurity in your higher education institution. She addresses a range of timely topics and best practices focused on phishing, ransomware, generative artificial intelligence, and the skills shortage.
TIAA collaborates with REN-ISAC in sharing cybersecurity thought leadership and best practices with higher education institutions while enhancing the growing movement towards cybersecurity becoming a more expansive community sport.
Q. What are the biggest obstacles to detecting and preventing the biggest cyberattacks such as phishing and ransomware?
A. More convincing phishing emails: Right now one of the biggest obstacles is that generative AI technology is enabling bad actors to create more convincing-looking and harder-to-detect phishing emails. The fact that these phishing emails look so real is an obstacle to detecting and preventing them. The more convincing the phishing email, the more likely the target victim clicks on a malicious link or attachment.
A. Hard to know how much to spend: Innovative risk quantification engines can be used to figure out quickly how much to spend on cybersecurity. This is a huge benefit because the education industry during 2023’s third quarter was the most cyberattacked industry among 17 ahead of government (#2) and healthcare (#3), according to Check Point Software Technologies. Financial services was #6.
A 2023 survey titled ISC2 Cybersecurity Workforce Study finds 78 percent of education organizations have cybersecurity staffing shortages – the highest percentage of 23 industries.
Q. What should higher ed do about widespread ransomware attacks, ransomware as a service, and ransomware extortion/exfiltration?
A. Be careful about paying ransoms: First, it may not be in your best interest to pay ransoms, because if you do bad actors will more be more likely to attack you again seeking more ransom money.
A. Back up your data: Second, back-ups help if your data is encrypted and unable to be used. If a bad actor copies the data and threatens to post it, the back-ups don’t help. Copying your data is a way around the back-ups. They don’t lock down your systems, they just copy the data and threaten to post it unless you pay.
Q. What should higher ed do about distributed denial of service (DDoS) cyberattacks which often are part of ransomware attacks?
A. Identify a DDoS attack: If you notice a flood of attacks on your network, you’re probably the target of a DDoS attack. Bad actors launch these to disrupt and shut down your email system, websites, and online accounts.
In such cases back-ups won’t help. Various tools are available to identify and automatically alert you, block IPs sending traffic, and to otherwise stop these attacks. DDOS attacks are relatively easy for hackers to launch, so these tools are very important to investigate.
A. Use rate limiters and load balancers: Use rate limiters and global load-balancing for managing the flood. Consider using these tools to reduce the number of requests to your servers and applications; and shift and redistribute that data to multiple locations.
Q. How widespread are DDoS attacks in higher education, how do they relate to ransomware attacks, and what can be done to avoid them?
A. Education major target of DDoS attacks: First, education continues to be a major target of DDoS attacks. In 2021 there was a 102% increase in such attacks aimed colleges and universities compared to the prior six months, according to NetScout.
A. Ransomware and DDoS attacks are inter-related: Second, ransomware and DDoS attacks are often inter-related and combined by bad actors to create multi-dimensional disruption. With ransomware capabilities improving, bad actors are using pre-ransom emails that promise future DDoS attacks to networks, websites and applications.
A. Proactively monitor: Third, it’s key for higher ed organizations to proactively monitor for DDoS attacks and, if detected, minimize their severity by blocking malicious traffic. During an attack it’s key to monitor it in real time and make adjustments as attack patterns change.
Q, What are the most widespread types of social engineering attacks against higher ed, which ones should we be most concerned about in 2024? Smishing? Vishing? Spear phishing? Quishing? Deepfake videos? Deepfake voice calls?
A. Phishing emails: Like in many other industries, bad actors continue to prioritize the creation of fake phishing emails designed to lure victims to click on malicious links or attachments. They keep doing this because it continues to be effective.
Bad actors usually are seeking specific types of information such as log in credentials, social security numbers, and credit card numbers.
In higher education they’re often attempting to steal sensitive student data such as grades and student loan amounts, credentials of employees, or sensitive research data being done by professors.
A. Smishing and vishing: In 2024, you’re likely to notice an increase in other types of social engineering attacks such as smishing (text messages to smartphones) and vishing (phone calls to smartphones).
A. Deepfakes: Bad actors are likely to launch more deepfake video and audio attacks designed to impersonate people in power such as the university president talking on a video telling students something misleading or false to disrupt the institution.
Deepfakes are a growth industry. From 2022 to 2023 there’s been a 10-fold increase in the number of deepfakes detected globally across all industries, according to Sumsub. Deepfake incidents in the United States have risen 3,000 percent during this time period.
One of the most effective ways to defend against phishing and deepfakes is to regularly run simulations of these attacks with employees so they become more adept at detecting them.
Q. What are some ways generative AI could be used in higher ed to better detect and prevent cyberattacks?
A. Ask gen AI about higher ed attacks
You could ask a generative AI tool to give you specifics on the most likely types of cyberattacks against higher ed institutions, when are they most frequently launched, by whom, and from where.
Q. What are some issues about using generative AI in the classroom between students and teachers – such as the threat of plagiarism — and what can be done to address these issues?
A. Teachers need to set up guidelines: Teachers will need to set up and enforce guidelines for how students can use generative AI tools for schoolwork. For instance, a guideline could be that students are not allowed to use the tool to write papers; or they can use it for research but not the writing; or they can write a paper and type it into the prompt to see how it can be improved; or they can have students ask the tool to write a paper and then they will be graded on how they edit the paper.
Q. What are some ways to protect highly classified research information in higher ed from cyberattacks?
A. Encryption: First, encrypting this sensitive information is one way to protect it from cyberattacks. Data should be encrypted in storage, in transit, and when being processed. Often, file-level encryption is also appropriate.
A. Restrict access: Second, restricting access to this highly classified information would also strengthen security. The fewer people who can get to it, the harder for bad actors to find and exploit the data.
Q. What are data challenges in higher ed that are leading to cyberattack vulnerabilities?
A. Open culture: First, higher ed institutions tend to have open cultures where widespread sharing of information is encouraged. This openness makes it easier for bad actors to operate.
A. Huge amounts of sensitive data: Second, higher ed institutions tend to have huge amounts of sensitive data such as student grades and loan information, professors’ classified research, and administrators’ salaries. Bad actors know this information is valuable which is why they so often target higher ed.
Q. What can be done to address the current talent shortage in higher education?
Skills gaps are especially widespread in the education industry. A recent finding from the ISC2 survey finds that 78 percent of higher ed institutions said they have cybersecurity staffing shortages — the highest percentage among 23 industries.
A. Assess compensation processes against private industry: Make sure to offer competitive pay packages and benefits.
A. Foster a tech-savvy environment: Technologists like to be innovative, to work with the latest, and to have the opportunity to be thought leaders. Create that culture.
A. Launch job fairs on campus: Launch job fairs on higher ed campuses where pros could learn about the interesting and career-advancing work they can do in higher ed.
Q. What can be done to improve cybersecurity skills among higher ed professionals?
A. Provide tools to help them continuously learn the latest and greatest: Certainly these professionals will need to become skilled at using the latest and greatest cybersecurity tools to help detect and prevent cyberattacks. They’ll also benefit from learning how to become experts in prompt engineering, cloud computing, AI, zero trust, and supplier risk management — all of which are skills in high demand.
Q. What skills will be most important in higher ed over the next 2-3 years to strengthen cybersecurity?
A. Prompt engineering, cloud computing, and zero trust.
Q. What are your biggest budgetary challenges when it comes to cybersecurity?
A. How much to spend: A huge challenging is figuring out how much to spend on cybersecurity. Money is not unlimited so it’s key to be able to quantify in financial terms how much to invest and what financial benefit that will deliver.
Q. What are actions you think higher ed security professionals could take to gain more budget for cybersecurity?
A. Quantify cyber risks: Research and quantify how much needs to be spent on cybersecurity and what financial benefit that will provide the institution. Use risk quantification engines to better estimate the costs of attacks and recoveries, and share industry stats on how often these attacks occur.
Q. What can be done about the siloed and open information-sharing culture in higher education that contributes to the major cyberattack risks?
A. Strengthen security of most sensitive data: Identify and prioritize protection of the most sensitive and valuable information and don’t make that part of the open-sharing channel. Only allow a few people access to that information who absolutely have to see and use it. To ensure data can’t be exfiltrated, disable USB drives and block sites where data can be posted online.
Q. Related to this, what can be done about supply chain and third-party cyberattacks vulnerabilities in higher ed?
A. Ask about cybersecurity programs: Ask members in the supply chain and third parties to share details about their cybersecurity program, how they protect data, etc. The more you can find out about this the more you can be confident in the security of that data.
A. Consider switching: If you don’t get cooperation you feel is necessary from a supplier, give serious consideration to switching to different suppliers. Also, help your internal business partners realize the risk.
Q. Could you share 2 actionable takeaways we can all use to fortify our cybersecurity defenses?
A. Phishing simulations: First, conduct regular phishing simulations with higher ed employees so they get better at detecting and reporting them.
A. Bring in an independent company for maturity assessment: Bring in an independent company to conduct a maturity assessment of your cyber program and work with stakeholders to implement needed changes on a prioritized basis.
Q. What are the latest cybersecurity training programs for security professionals, professors, and students?
A. Certification programs: There are plenty of certification programs available to the higher education community and valued by employers. A few examples include:
- ISC2’s Certified Information Systems Security Professional
- ISACA’s Certified Information Security Manager and Certified Information Systems Auditor
- Infosectrain’s Certified Governance, Risk and Compliance
Q. What are the trends to hire professionals into cybersecurity with “non-technical” backgrounds?
A. Growing demand for creative thinking: Less technical skills are becoming more valued such as a potent combination of critical thinking and creativity, an intense curiosity and eagerness to learn, clear communications, and adept social interaction capabilities. All of which reminds us that no matter how much technology there is in a business and job, relationships with other people still matter enormously. A cyber organization may also need finance professionals, graphic designers to help with awareness campaigns, project managers, and more.
A. Curiosity, eagerness to learn: A skill that may not always be on a job description but is becoming increasingly sought after is an intense curiosity and eagerness to learn. This means, for instance, absorbing everything you can about specific ways cyberattacks using generative AI can be detected faster and easier. Those who crave this kind of knowledge and are relentless in reading, researching, and thinking through all this to find the answers, and relate cybersecurity’s biggest threats and how to prevent them, will be well positioned for success.
Results from an ISC2 survey underscore this point. During the past year, 39 percent said curiosity and eagerness to learn have grown in value during the past year.
“While AI can identify patterns, predict outcomes, and automate complex tasks, it lacks a depth of understanding that stems from genuine human curiosity. Employee value is shifting from simply having knowledge to applying curiosity: the ability to question, interpret, and reimagine that knowledge.”
A. Social interaction and communications: Can you interact well with others on your team? Are you a co-worker who lifts people up and spreads positive vibes? Are you able to communicate your thoughts clearly and with poise, class and conciseness capturing the essence of a business situation so everyone understands why it’s important?
If so, you’ll be well positioned to advance in your cybersecurity career no matter how much technological change occurs.
A. Demand for communications skills increasing: Reinforcing this point, the ISC2 survey unveils that the most important qualifications for cybersecurity professionals seeking jobs are strong communications skills at 38 percent – a substantial rise from 33 percent in 2022.
Q. What are latest trends in hiring Chief Information Security Officers (CISOs) in higher ed?
A. More aligned with leadership: Generally CISOs will be more closely working with the top leaders of their higher ed institution, so executive-level leadership skills are becoming in higher demand.
Q. What are trends regarding “burnout” of higher ed cybersecurity workers?
A. Not enough cyber pros: Simply put, there aren’t enough cybersecurity professionals working in higher ed to fend off all the cyberattacks against these institutions. So these professionals are having to work longer hours with little help and it’s making them tired. Cybersecurity is stressful because the stakes are so high. To address this problem, higher ed needs to give these workers more time off and fortify their cyber staffs with more people to lighten the workload and cut the stress.
Go Back