As institutions of higher education reel from recent cyberattacks in the United Kingdom, IT departments work tirelessly to secure sensitive student data. Student records offer a wealth of personally identifiable information (PII) from birth dates and social security numbers to bank account numbers and home addresses. In parallel, a study released by EDUCAUSE in July 2020 notes that the CIO’s Commitment on Diversity, Equity, and Inclusion (DEI) reports that 83.1% of respondents strongly agree that “diverse, equitable, and inclusive workplace environments foster more effective and creative teams of technology professionals.” Although at first glance, these two issues appear unrelated, bringing diverse voices to the cybersecurity table may provide a way through, rather than around, the current security struggles facing remote learning models in higher education.
At the beginning of June, an Inside Higher Ed noted that while institutions of higher education were traditionally not often targets of ransomware attacks, three profile ones indicated a shift in cybercriminal methodologies. However, in September, a barrage of ransomware attacks on colleges and universities in the United Kingdom led to the UK’s National Cyber Security Centre (NCSC) to issue an alert.
As institutions of higher education accelerated their digital transformation strategies, cybercriminals recognized that they offered a plethora of non-public personally identifiable information (NPI). Institutions of higher education struggle with limited IT resources and an abundance of legacy technologies that make security difficult.
However, even more importantly, for cybercriminals, individual institutions also have some of the most diverse populations across racial, gender, and age demographics when compared to other industries.
Often, ransomware attacks are part of a broader social engineering attack. As social engineering attacks target users’ emotions as a way to trick them into clicking on either a risky link or download.
Problematically, when higher education IT departments assume that students, as presumed digital natives, are a lower risk, they are using an outdated mentality. In an EdTech Magazine article published on September 16, 2020, Helen Patton, CISO for The Ohio State University, explains the problems inherent in this assumption noting, “they’re very sophisticated in a few areas, like social media. But in higher education, there are certain technologies they haven’t been introduced to before and they are certainly not secure in the way they handle those.” As IT professionals work to prevent ransomware attacks, they need to focus on the different types of social engineering risks across their divergent populations.
Students, for example, may be able to parse out Smishing or social media messenger attacks, but emails attempting to steal credentials by posing as help desk professionals looking to reset learning application passwords might be successful.
Meanwhile, the opposite may be true for certain faculty and staff. Younger professors and staff may not be as susceptible to a phishing email, but employees working with a department’s social media might be more likely to fall prey to a fake social media profile.
Finally, institutions of higher education need to consider that race, gender, religion, and sexuality differences on a campus may also increase the likelihood of social engineering attacks targeted at socio-political beliefs. College and university students, developmentally speaking, are seeking to find their adult identities which can make them be more susceptible to social engineering attacks that incorporate identity or political beliefs.
All the technical controls in the world cannot mitigate the risks associated with social engineering. Institutions can enforce spam blocking, but ultimately, someone will click on a malicious download or link that leaves the entire infrastructure at risk.
While most organizations struggle to overcome the predominance of white men in their IT departments, higher education also needs to respond to end-user generational, developmental, social, and political diversity in ways that the large enterprise does not.
DEI in higher education IT hiring offers one way to help reduce these risks. Although outdated in terms of statistics, the 2018 (ISC)2 report, Innovation Through Inclusion: The Multicultural Cybersecurity Workforce, details the way in which creating a diverse, equitable, and inclusive IT department can help create a more robust approach to cybersecurity, explaining, “creating a culture that inspires workers to approach problems and challenges from different perspectives that ultimately help an organization excel. Diversity is not only important for driving company growth and profit, it is vital in the cybersecurity profession that depends on unique approaches to problems and challenges to protect an organization.” Cybersecurity, especially when looking through the lens of social engineering and ransomware attacks, depends on understanding all end-users, not just a subsection of them.
Although many colleges and universities promote DEI initiatives at the student acceptance and faculty hiring levels, applying these strategies to their IT departments offers an extra layer of risk mitigation. If the IT department represents the entirety of the campus population, then the department will have a wider ranging view of the social engineering attacks that can be successful.
For example, if college and university IT departments limit themselves to older, white male employees, they may not be able to recognize the emotional sway some social engineering tactics have on the young, black female population. Similarly, an IT department consisting predominantly of Millennials may not be able to effectively recognize the types of emotional arguments that are successful against Boomers or Gen X employees.
A holistic defense in depth approach to higher education cybersecurity needs to incorporate both the technologies and people that help protect end-users. IT departments cannot assume that all users have the same motivations, especially when colleges and universities create carefully cultivated campus communities by focusing on DEI.
As higher education’s IT stacks increasingly incorporate cloud services, CIOs need to push for greater inclusion across the IT department. DEI cannot be limited to the campus student and faculty body because when the IT department itself is not representative of the campus, the IT professionals become disconnected from their end-users. Creating diverse and inclusive teams within the IT department can better protect the university’s IT stack while adding the institution’s overarching DEI mission.