Broadly speaking, universities are comprised of 3 groups of individuals: those that carry out cutting edge research, PhD students, and those that provide the administrative functions usually referred to as ‘Professional Services.’ Yes, this is an oversimplified view of the academic setting, but more on that later. There is one more group of that you’re likely thinking I’ve omitted - yes, the fourth group - the students.

Cybersecurity means different things to all these groups. Furthermore, cultures and modes of thinking vary across individuals according to their places of origin and the specificities of their backgrounds. This has material consequences for the deployment of cybersecurity awareness programs and how such efforts are perceived by the end user.

Having worked as a cybersecurity professional for many years, it took me a long time to understand each mindset. With each passing year, my own understanding and interpretation changes. To add another couple of elements to this already complicated cultural mix: the culture of the Institution accrued over decades the diverse subcultures of each department. Each cultural layer warrants a blog post of its own – we’ll get to each in subsequent posts.

Short answer: very carefully.

Let’s take the first group: the academics or professors who are usually at the tip of the spear for research activity. They need access to all types of information required for their research with a zero-hindrance policy. Understandably, given the very important job they do conducting research to better humanity, inform government policymaking, and improve our understanding of the universe.

The second line of researchers – the PhD students - need access to information from various sources to deliver their own PhD theses. Again, the demographics within this group and across departments can vary quite a bit.

The Administrators/Professionals also require information to ensure the continued success of the institution. Generally, these include Estates, Finance, HR, Alumni Relations, Student Registry, and Information Technology and Cyber Security.

I am reminded of an incident at a very prestigious institution in India, where a student hacked the exam results to give themselves better grades. Unfortunately, such things do happen and must be guarded against via effective and engaging awareness programs.

Within this large and diverse ecosystem, how does one deliver an effective cybersecurity awareness program that protects the digital environment, builds digital trust, and provides assurance to funders and regulators that cybersecurity is in a good place?

Before we find solutions, we need to understand what the threat landscape is for an academic institution. Again, a very short answer – almost every threat actor (fancy term for hacker) is keen to attack an academic institution for several obvious reasons.

I’m going to pick a couple that I think are especially compelling to cybercriminals. One is information about ‘VIP’ students. If there are high profile students attending these institutions, their personal information is always of interest to hackers. Another key one to note is that academic institutions have links to sensitive funding organizations such as the government, military, or corporations. This provides an easy way to enter such facilities for further theft if credentials are left carelessly unsecured.

A suitable model to work with all stakeholders is to continuously ENGAGE them. This contributes to building trust. To start, one must reach an understanding of the funder’s cybersecurity requirements in the working relationship. The next step is to define the environment that the researcher is working in and what elements could be vulnerable.

I will focus on the cybersecurity awareness training dimension of this scenario for the purpose of this blog.

Given the myriad players comprising an academic institution, what can we do to make cybersecurity awareness training effective? In short: TARGET end users with relevant information about their area.

Yes, this requires a lot of work.

But the truth is that one size does not fit all when it comes to cybersecurity awareness training. Some users may be advanced IT users in say databases, so providing them relevant information on security issues and appropriate controls would help. It helps to ADAPT your message to the relevant audience. Again, there are other controls that would help, but it would be out of scope of this blog piece. This would ENABLE better two-way communications between the cybersecurity teams and broader stakeholders within the institution.

Yes, I hear the objection: “I have just one team member or maybe no team at all. Hell, I don’t even have a budget.”

• Start small – localize security awareness campaigns in a department or within a Community of Practice – say Business Analysts, or even maybe the Student Union.
• Try an outreach program – get invited to other team meetings or town halls.
• Have you tried onboarding meetings? They’re a great way to jumpstart communication and hand out small cards with cyber security messages on them including information on how to contact the cyber security team.
• What about a small quiz to departments maybe on a Friday Thursday afternoon? Once you’ve got the buzz going, scale it up, include it as an agenda item for conversations with your line manager, build a case, and maybe people would like a cybersecurity catch-up, this will lead to a new role being created.
• Can you use the expertise of an intern for example or a temporary assignment as part of the role? The possibilities are endless.

It would be good to hear from other cybersecurity awareness experts on what works and what might not in academia. If you’re a cybersecurity professional working at an academic institution or thinking of joining one, share your experiences and perspectives and we can help improve the cybersecurity landscape.

As a reminder to conclude this blog post ahead of the next one, a few words to summarize my recommendations for how to effectively administer and conduct cybersecurity awareness programs in an academic setting:

ENGAGE. TARGET. ADAPT. ENABLE.