Jesper Johansson, Chief Security Architect at Yubico

FE institutions are under increasing attack from cybercriminals looking to exploit open networks and steal personal information and IP. Jesper Johannson, chief security architect at Yubico looks at what they should do to keep hackers out.

Driven by “tempting and easily accessible” open networks, sensitive information such as cutting-edge research, in addition to personal and payment information entered on shared computers and networks, hackers see educational institutions as particularly tantalizing targets. As a result, students take on more risk than they realise when they go online on campus.

Students aged between 18 and 25 face a dual threat; according to the UK government's Cyber Aware campaign, this age group is the most likely to reuse passwords for multiple online services. The danger was particularly acute because of the sensitive data people typically send via email and other accounts, which commonly includes bank details and copies of passports and driving licences. For collaborating students, this list is likely to include their research and other intellectual property.

Before FE institutions can effectively protect themselves and their students online, they must first understand the threats that they are facing. So let’s uncover some of the most common techniques for stealing internet credentials, popular and proven methods of defending against these attacks, and best practices to keep data safe:

Getting the job done, whatever the cost

With tight deadlines and busy schedules, it can be attractive for ambitious, well-intentioned students to cut corners, and security is usually one of the first areas to take a hit. They may borrow or share account credentials, leave shared devices unattended or unlocked, or mistakenly click on malicious links. These are all common practices that result in breaches.

Students have work to do, and if security hinders rather than helps them, they will work around controls they don’t understand. They may want to work on the go, but one common pitfall of the conscientious student can be encountered when accessing important accounts and data via unsecured networks such as public WiFi.

Sometimes, unsecured networks allow attackers access to the network path and the ability to place a fake site between their victim’s computer and the site they are accessing in what’s known as a “Man in the Middle” (MitM) attack. This can enable the attacker to steal their login credentials and data if the connection is not encrypted, or if the victim believes the attacker’s system is legitimate.

Gone Phishing

Phishing attacks are becoming more sophisticated and targeted, and even the most tech- or security-savvy students can find themselves a victim. 91% of cyber-attacks start with a phishing email. While some attempts are obvious, sent by unknown senders with subjects like, ‘Claim your ultimate deal now!’ the far more successful subject lines are the ones that don’t raise much suspicion.

Many phishing emails look like they have been sent legitimately by people known to the user. ‘Account action required’, ‘Important student loan information’, or ‘library loan return due’ can all be ploys to weaken the email recipient’s defences through seemingly ordinary alerts.

The body of the email can hold a whole new set of clues, including misspelled words and confusing context. Hackers can also use current or popular events to their advantage. For example, holiday seasons, trending causes and natural disaster or tragedy relief efforts are all used to sneak an unsuspecting phishing email into the inbox of thousands of targets.

Prioritising convenience

Attackers can be surprisingly successful at accessing accounts across many sites by guessing common passwords with specific or common usernames. Unfortunately, most people struggle with creating or remembering strong passwords. As a result, it’s common to choose weak passwords for convenience, and to use the same password, or a variant, across multiple sites.

This problem is exacerbated by the large volume of stolen credentials available for sale on the dark web with hundreds of millions of credentials available to attackers. Attackers have also reportedly targeted weaker sites to gain an individual’s credentials. If they’re successful, they’ll use those same credentials on other sites that they’re actually interested in.

Hackers are increasingly sophisticated

Hackers today want to stay one step ahead of organisations’ security protocols. PCs that are connected to the internet have large attack surfaces, making them vulnerable to attacks from many fronts, including malware, phishing, malicious apps, Wifi exploits, VPN masking, and social engineering.

Attacker objectives, victims, and techniques vary significantly. That said, we do know that internet credential theft and misuse is involved in nearly 81% of hacker-related breaches. Since stealing someone’s password is relatively easy to do from afar, and there’s little risk of or danger in getting caught, it’s become one of the most common attacks in the world.

Having the strongest usernames and passwords isn’t a failsafe method. If they are compromised, a hacker can easily access your accounts. Phishing/malicious emails can often look like credible emails, and may even come from one of your known contacts. Thankfully, colleges have begun to recognize that strong authentication provides security that counters the fallout from the unprecedented swell of password breaches.

So how can FE institutions best protect themselves and their students against the onslaught of credential theft they face?

Prevention is the best protection

Institutions should ensure that security policies and procedures are communicated to all students and staff. They should take time to educate students not just on their chosen subject, but about the negative impact a data breach could have on the institution’s revenue, safety, and overall reputation. Regular communication with students is key to reinforcing what should be done to prevent breaches, and how to respond in the event of one.

All students will be best advised to follow some basic best practice to help protect their accounts. They should never open an attachment or click a link if any aspect of the email seems suspicious, they should be reminded of good habits while using shared computers, and cyber security awareness campaigns should always be encouraged.

Fail to plan? Plan to fail

While no one wants to deal with a data breach, those that prepare for doing so before it happens weather the storm better. After you get compromised is a terrible time to draft the notification to staff students, and is just as bad for figuring out how to determine what happened and stop it. A clear, and tested, response plan helps all parties involved know what to do. This attack mitigation plan must be implemented and championed from the top.

Unfortunately, while it’s common for FE institutions to have academic staff responsible for training the cyber security professionals of tomorrow, it is far less so for members of the SLT to have direct expertise in or responsibility for IT security. Prioritizing the protection of data and systems starts at the top. Building out a senior position with responsibility for cyber security and data privacy will ensure that there is a holistic, comprehensive approach to the security and privacy strategy, and it will also help further leadership buy-in by giving security a seat at the executive committee and decision-making process.

Improving Authentication

Unfortunately, some attacks are so sophisticated that they can even bypass the savviest of users. Thankfully there is a surprisingly easy and affordable way to protect online accounts from all of these attacks. There are technology solutions that can help, and we strongly recommend two-factor authentication (2FA). Many services enable the use of 2FA, which can help students protect their online accounts, emails and computer logins while helping to protect the most sensitive data of the institution and its students.

Physical hardware such as 2FA tokens are considered more effective than other methods such as SMS or software tokens. These involve staff or students logging in using both their password and the physical hardware token to secure logins to web applications, computers, email and other online accounts. The combination of using passwords and the hardware token prevents hackers from accessing your account. Even if credentials were to become compromised, the hacker would still need the user’s physical token to gain access to their accounts.

There’s no simple fix to prevent cybercriminals from attempting to plunder the most precious resources on campus, it is possible to keep them from walking out with the data they want. The best way to achieve this is to ensure good cyber security practices are implemented, that these are reinforced throughout the institution from the leadership to every student and member of staff, and to double-lock accounts using 2FA.

Jesper Johansson, Chief Security Architect at Yubico

You may also be interested in these articles:

Register, Login or Login with your Social Media account:


Advertisers

Upcoming FE Events

Advertiser Skyscrapers

Newsroom Activity

FE News: The Future of Education News Channel had a status update on Twitter yesterday

RT @FENews: NGWLive: Network Rail: NGWLive: Network Rail https://t.co/zqS6YwqgxP
View Original Tweet

FE News: The Future of Education News Channel had a status update on Twitter yesterday

City of London Corporation provides Square Mile schoolchildren with food vouchers during half term break:… https://t.co/QilxKc8yaD
View Original Tweet

Latest Education News

Further Education News

The FE News Channel gives you the latest education news and updates on emerging education strategies and the #FutureofEducation and the #FutureofWork.

Providing trustworthy and positive Further Education news and views since 2003, we are a digital news channel with a mixture of written word articles, podcasts and videos. Our specialisation is providing you with a mixture of the latest education news, our stance is always positive, sector building and sharing different perspectives and views from thought leaders, to provide you with a think tank of new ideas and solutions to bring the education sector together and come up with new innovative solutions and ideas.

FE News publish exclusive peer to peer thought leadership articles from our feature writers, as well as user generated content across our network of over 3000 Newsrooms, offering multiple sources of the latest education news across the Education and Employability sectors.

FE News also broadcast live events, podcasts with leading experts and thought leaders, webinars, video interviews and Further Education news bulletins so you receive the latest developments in Skills News and across the Apprenticeship, Further Education and Employability sectors.

Every week FE News has over 200 articles and new pieces of content per week. We are a news channel providing the latest Further Education News, giving insight from multiple sources on the latest education policy developments, latest strategies, through to our thought leaders who provide blue sky thinking strategy, best practice and innovation to help look into the future developments for education and the future of work.

In May 2020, FE News had over 120,000 unique visitors according to Google Analytics and over 200 new pieces of news content every week, from thought leadership articles, to the latest education news via written word, podcasts, video to press releases from across the sector.

We thought it would be helpful to explain how we tier our latest education news content and how you can get involved and understand how you can read the latest daily Further Education news and how we structure our FE Week of content:

Main Features

Our main features are exclusive and are thought leadership articles and blue sky thinking with experts writing peer to peer news articles about the future of education and the future of work. The focus is solution led thought leadership, sharing best practice, innovation and emerging strategy. These are often articles about the future of education and the future of work, they often then create future education news articles. We limit our main features to a maximum of 20 per week, as they are often about new concepts and new thought processes. Our main features are also exclusive articles responding to the latest education news, maybe an insight from an expert into a policy announcement or response to an education think tank report or a white paper.

FE Voices

FE Voices was originally set up as a section on FE News to give a voice back to the sector. As we now have over 3,000 newsrooms and contributors, FE Voices are usually thought leadership articles, they don’t necessarily have to be exclusive, but usually are, they are slightly shorter than Main Features. FE Voices can include more mixed media with the Further Education News articles, such as embedded podcasts and videos. Our sector response articles asking for different comments and opinions to education policy announcements or responding to a report of white paper are usually held in the FE Voices section. If we have a live podcast in an evening or a radio show such as SkillsWorldLive radio show, the next morning we place the FE podcast recording in the FE Voices section.

Sector News

In sector news we have a blend of content from Press Releases, education resources, reports, education research, white papers from a range of contributors. We have a lot of positive education news articles from colleges, awarding organisations and Apprenticeship Training Providers, press releases from DfE to Think Tanks giving the overview of a report, through to helpful resources to help you with delivering education strategies to your learners and students.

Podcasts

We have a range of education podcasts on FE News, from hour long full production FE podcasts such as SkillsWorldLive in conjunction with the Federation of Awarding Bodies, to weekly podcasts from experts and thought leaders, providing advice and guidance to leaders. FE News also record podcasts at conferences and events, giving you one on one podcasts with education and skills experts on the latest strategies and developments.

We have over 150 education podcasts on FE News, ranging from EdTech podcasts with experts discussing Education 4.0 and how technology is complimenting and transforming education, to podcasts with experts discussing education research, the future of work, how to develop skills systems for jobs of the future to interviews with the Apprenticeship and Skills Minister.

We record our own exclusive FE News podcasts, work in conjunction with sector partners such as FAB to create weekly podcasts and daily education podcasts, through to working with sector leaders creating exclusive education news podcasts.

Education Video Interviews

FE News have over 700 FE Video interviews and have been recording education video interviews with experts for over 12 years. These are usually vox pop video interviews with experts across education and work, discussing blue sky thinking ideas and views about the future of education and work.

Events

FE News has a free events calendar to check out the latest conferences, webinars and events to keep up to date with the latest education news and strategies.

FE Newsrooms

The FE Newsroom is home to your content if you are a FE News contributor. It also help the audience develop relationship with either you as an individual or your organisation as they can click through and ‘box set’ consume all of your previous thought leadership articles, latest education news press releases, videos and education podcasts.

Do you want to contribute, share your ideas or vision or share a press release?

If you want to write a thought leadership article, share your ideas and vision for the future of education or the future of work, write a press release sharing the latest education news or contribute to a podcast, first of all you need to set up a FE Newsroom login (which is free): once the team have approved your newsroom (all content, newsrooms are all approved by a member of the FE News team- no robots are used in this process!), you can then start adding content (again all articles, videos and podcasts are all approved by the FE News editorial team before they go live on FE News). As all newsrooms and content are approved by the FE News team, there will be a slight delay on the team being able to review and approve content.

 RSS IconRSS Feed Selection Page