At the University of Dayton, the vast majority of cybersecurity threats are unintentionally introduced by the user community -- students, faculty, and administrators. That’s why the college’s IT department is looking beyond protections on the technical side and educating the campus community on safer computing habits. (Lydia Emmanouilidou/WGBH)
It’s a day like any other on the campus of the University of Dayton (UD) in Ohio. Students are rushing to class, sipping on lattes, and checking out books at the library. But behind the scenes, cyber-attackers are lurking, ready to strike.
Each day, the university faces nearly 80,000 network-based cybersecurity threats. In a year, those threats add up to about 30 million. The numbers may seem staggering. But UD is not uniquely targeted.
“Higher [education] is a highly targeted environment,” said Patrick Morley, President and Chief Executive Officer of Carbon Black, a Waltham-based cybersecurity firm that works with hundreds of clients in higher education.
Colleges and universities are particularly vulnerable to cyberattacks because of their openness and focus on collaboration beyond the borders of their campuses. At the same time, higher education institutions have two types of assets that make them particularly appealing to cyber-criminals: Personal data -- including social security numbers, payroll and other information on students, faculty, administrators and even alumni -- and valuable scientific research.
“That intellectual property is a great way for other countries in particular to go advance their own research areas, and so they go and focus on universities,” Morley said.
When cyber-criminals come knocking, they often encounter careless professors or studentsby responding to phishing emails, clicking on suspicious links, or otherwise inadvertently giving up log-in credentials.
In these cases, protections on the technical side -- like antivirus and anti-spam programs -- are often not enough.
“When we looked at what was going on, we realized that really not a whole lot was focusing on really changing the behaviors of our user community,” said Tom Skill, Associate Provost and Chief Information Officer (CIO) at the University of Dayton. “So we began saying what can we do? We have to make sure that our user community believes that there really is a problem here and there are things that they can really do to make that difference.”
To fill that gap, Skill and his staff created what they describe as.
“We have a brand, we have a message strategy, we have a style and tone to our messages that reflect this kind of engagement that we believe is so important,” Skill said.
As part of the campaign, the school sends out a bi-monthly email newsletter, filled with cartoons and practical tips on safe computing, all centered around a different theme every month. The March, for example, focused on digital spring cleaning -- updating applications, deleting programs that are scarcely used, and backing up important information. There’s a Phish Commish, on dodging phishing attacks. The tone of the messaging is intentionally light.
The school also hosts monthly phishing training exercises and other events to give members of the campus community a chance to exercise their security muscles.
“So, we’re not talking about rocket science here. We’re talking about pre-rocket science,” Skill explained.
Still, Skill says, convincing members of the campus community to change computing habits is challenging.
“Cybersecurity is such a hugely complicated area, bringing some kind of organizational mindset that people can digest without getting heartburn is really hard,” Skill said. Often, Skill admits, that’s because the IT staff responsible with communicating this information are not always the best at doing it in a way that makes sense to the user community, he added.
“When I look at all the problems out there with IT, most of it cooks down to the fact that somebody messed up with communication. Everybody’s pretty good, technically, Sometimes we just don’t say it very well,” Skill said.
But Skill came to this job with unique experience in communications. He has a Ph.D. in Mass Communication and years of experience teaching in the Communications Department at UD. Since becoming the CIO, he’s hired two communications experts to work on his IT staff.
This focus on communication is partly what sets UD apart from other schools attempting to educate their users on issues around cybersecurity.
“You cannot treat cybersecurity as kind of a one-time event, where you train people this week, we’ll come back in a year and we’ll train you again," Skill said. "If you don’t keep up after them, and you don’t communicate with them on a continuous basis over the entire year, you’re very likely not to see the success that we have seen,” Skill said.
Since rolling out the campaign to faculty last year, Skill says they’re much more likely to spot and report phishing emails and other suspicious activity. The school has also been conducting surveys that indicate faculty are more confident in their ability to make a difference on their campus’ cybersecurity.
This approach is getting the attention of colleges around the country, as well as industry leaders in the Dayton area, who are reaching out to Skill for advice on how to replicate the campaign.
In the fall, UD plans to roll out the campaign to students. For that audience, they admit, an email newsletter, may not be the hippest way of communicating.
This is part three in our series examining college completion efforts and higher education innovation in and around Dayton, Ohio.