While most college or university students have grown up using internet-enabled devices, it doesn’t necessarily follow that they are savvy and careful about online safety.
With the explosion of the internet of things (IoT), there are now more connected devices than there are people in the world, which provides an exponentially growing opportunity for cyber criminals to steal, disrupt and exploit.
Perhaps the most effective defence against criminals’ activity is knowledge of their tactics and how to reduce the risk of becoming a victim.
Jisc research (2017) found that:
- 83% of universities provide training for staff, which is compulsory in 46% of cases
- 40% offer training to students, but only 8% insist that students take a course
Instruction on good security practice is essential for all end users – that’s staff and students
I’d argue that instruction on good security practice is essential for all end users – that’s staff and students. They need to be able to spot dodgy websites, iffy emails and other common attack vectors. For universities and colleges, it’s about extending the scope of student care to enable their learners to live an easier and safer life.
When unattractive is a good thing
Reducing risk in this context is about making your environment as unattractive as possible to criminals. In the physical world, if your house is the only one in the street surrounded by a high fence, with anti-climb paint on the drainpipes and prickly shrubs under every window, burglars will probably look for an easier target.
The same principle applies to online property; if you protect your accounts, (particularly email), your privacy, and your devices as best you can, then your attack surface is minimised – a bit like a stealth bomber.
If you protect your accounts, your privacy, and your devices as best you can, then your attack surface is minimised – a bit like a stealth bomber
These aircraft are designed to have a very small area visible to radar. If you can minimise that radar blip and look like a seagull nobody is going to pay much attention, but a massive plane is a different thing altogether.
What more can universities and colleges do to help?
In my view, the more that organisations can do automatically to protect end-users, the better.
Let’s take the machines owned by universities and colleges: they should be covered by advanced versions of anti-virus and anti-malware and probably a web filtering service, which takes out some illegal material. If you don’t use web filtering you’re potentially leaving yourself open to reputational damage. Email content filtering will pick up some spam and a few of them will pick up phishing attempts too.
If people are going to use your systems, they have to adhere to the rules, and ignorance is not an excuse
Something that adds a complication is that students are often using their own devices, which may not be as secure as those owned by the university or college. Many institutions will have deals with software providers for student to use on their own devices for discounted rates – and that’s a good idea.
Institutions need to be advising students on appropriate protection methods and putting that in a code of use and their security policies. If people are going to use your systems, they have to adhere to the rules, and ignorance is not an excuse.
Seven steps to staying safe online:
- Suss out suspicious apps: Why, for example, would a calculator app be asking to access your phone’s camera? It doesn’t need to, so it probably has an ulterior spying motive. Apply common sense.
- Avoid the phisherman’s hook: One of the recent scams that first-year students are subjected to is an email telling them they’ve won a bursary and all they need to do to get it is to hand over their bank account details. The rule is, if it seems too good to be true then it probably is.
- Take care what you click: If you receive an unsolicited email from someone you don’t know, or a strange email from someone you do know that contains a puzzling attachment or a link, it’s best avoided – it could be a virus, or a spoof website.
- Resist temptation: Students are often targeted to use as mules to launder money. It sounds great – hand over your bank details and you get £50 a week, no questions asked – but you’d be breaking the law by allowing someone to use your account for illicit purposes.
- Beef-up passwords: Use a separate password for your email account, which if breached, can often provide access to many of your other online accounts. A solid password is one that comprises a short phrase of at least three words, plus numbers and/or other characters. Avoid using obvious passwords such as children’s or pets’ names, which criminals may be able to guess after looking at your social media accounts – so be careful what you post. It’s best never to repeat password and, so you don’t have to remember them all, use an online password safe, which will store them all securely. The government's Cyber Aware campaign has further advice.
- Keep computers healthy: Install anti-virus software (a free package is better than nothing), back-up regularly, and update software when prompted to do as they often contain security patches.
- Preserve privacy: be very careful of communicating personal or sensitive information when using public computers, or a pubic wi-fi network, which are vulnerable to hackers. Your name and address maybe all that’s required to steal your identity, for example. Be similarly warey what you post on social media and check your accounts’ privacysettings to limit who can see what. Ideally, use a VPN (virtual private network) which uses data encryption to hide internet activity.
Think you’re playing safe online? Take our short quiz to find out.
To find out more about Jisc's work in cyber security, go along to Networkshop, 27-28 March,2018, in Birmingham.