What’s the grade on cybersecurity?

College students often worry about good grades, making friends and avoiding the freshman 15. Now they have to worry about the possibility of their personal information being leaked by hackers.

According to a 2015 study by Cloud Passage, a security company, U.S. universities get an F for cybersecurity education. The study also found that out of 121 participating schools the University of Alabama is the only one to require three or more cybersecurity classes for graduation.

“Cybersecurity to the common person I think its almost like insurance use to be. You want me to spend money to protect myself from something that hasn’t happened yet,” said Dr. Jane LeClair, senior advisor at The National Cybersecurity Institute at Excelsior, an academic and research center dedicated to cybersecurity policy, technology and education.

“Cybersecurity it’s not a product, it’s not a person, so they’re putting money into something that they don’t really see an immediate value for in many cases.”

When students choose what university to attend the threat of a cyber attack may be the last thing on his or her mind. By the time they should worry about protecting themselves, it’s already too late and they’ve already become a victim.

Personal information such as loan information, addresses and social security numbers are in the hands of hackers. Hackers use the personal information of victims to commit fraud like opening accounts in the victim’s names.

LeClair said that like many other organizations and universities have a wealth of private information from their students, donors and alumni so that makes them a prime target.

All cyber attacks can’t be prevented but LeClair offered suggestions that can help universities so they won’t become victims of a cybersecurity attack.

“What all the colleges should be doing is hardening their systems to ensure that they have adequate protections in place, adequate policies and that they’re following their policies and they’re training their employees and doing some penetration testing,” said LeClair.

According to a 2015 Symantec Internet Security Threat Report, 10 percent of the education sector reported a data breach.

Students should be careful with their personal information at all times. That sometimes can be easier said than done. They are often required to give out our personal and that can make them vulnerable.

“The majority of the responsibility lies within the organization and ensuring the organization has have done their due diligence,” said Dr. LeClair.

The SANS institute, a company that specializes in information security and cybersecurity training, has a six step incident handling process in place should a security threat occur.

  1. Preparation: A set of rules should be set so that the organization knows the exact procedures to follow. It’s also important to communicate and know who to call when a security threat happens.
  1. Identification: Gather information such as error messages and log files to determine if an incident has occurred..
  1. Containment: This step tries to limit the damage and prevent any future damage.
  1. Eradication: Removing malicious content and restoring the affected systems.
  1. Recovery: When affected systems are brought into production to be used again.
  1. Lessons Learned: The organization documents anything that wasn’t done during the incident.

Hackers spend their time scoping for victims. They know academic institutions have personal information and that’s one of the reasons why hackers target them. Is there such a thing as 100 percent safety from cybersecurity attacks?

Maybe not.



Photo at top from: h2htech