Cybersecurity Strategy Lessons from Washington College
Higher education institutions nationwide are being inundated with spam, malware, phishing emails, and ransomware attacks. And more than ever, hackers and other intruders are attempting to exploit institutions’ systems for profit. In October 2021, during Cybersecurity Awareness Month, UE member Washington College kindly agreed to share lessons it has learned.
Washington College in Chestertown, Md., noticed a significant increase in spam and phishing attacks against it within the past year. In September 2021, for example, the 1,400-student college received about 250,000 emails – and about 32% of them were either held or junked due to potential vulnerabilities found. A few were ransomware attacks or other demands for money.
The college isn’t sitting idly by. Instead, it’s taking several actions to bolster its cybersecurity.
One recent effort to protect students, faculty, staff, alumni, and the college overall from cybersecurity threats involved rolling out multi-factor authentication (MFA) for fall 2021. MFA dramatically reduces incidents of hackers gaining access to individuals’ accounts.
The college has begun using MFA for all its Microsoft Office 365 applications, including Word, Outlook, and SharePoint.
Within months, the college also plans to launch MFA for students, faculty, and staff signing on to the college’s VPN (an encrypted connection that lets you get through the network firewall so you can access internal resources).
Other actions to strengthen cybersecurity include a multi-year effort to move the college’s old server infrastructure to a newer, hyperconverged infrastructure.
“Like many organizations concerned with the well-being of end users, Washington College is constantly upgrading any aging infrastructure to close the vulnerability loopholes used by intruders,” says Victor Garcia-Escalante, Director, Technical Services, Office of Information Technology (OIT) at Washington College.
Moving to the newer infrastructure can’t be done overnight, so the college is setting up processes to make that happen.
The college also is scrutinizing features and capabilities of email and endpoint security companies. Endpoint security offers protection when devices such as laptops and cell phones connect to an institution’s network (if these devices have the endpoint security agent enabled).
Having MFA, email security, and endpoint security will help the college protect critical research and shut down those seeking to steal information. “We must get ahead of these attacks. We cannot allow them to take us down,” Garcia-Escalante says.
Why Is MFA Important?
The idea behind using MFA – also known as two-factor authentication – is that even if an employee or student password is stolen, the hacker won’t be able to access your institution’s information. That’s because when users attempt to sign in with their own password, your institution will require them to verify their identity in a second way.
The most common kinds of MFA are:
- Something you know (a password, memorized PIN, etc.)
- Something you have (a smartphone, secure USB key, etc.)
- Something you are (fingerprint, facial recognition, etc.)
To prevent accounts from being compromised, Washington College started having its information technology (IT) staff use MFA in 2020. Now MFA is used by roughly 14,000 end users (12,000 alumni plus 2,000 students, faculty, and staff).
MFA asks for user account authentication when users log on to a different network or device. Users will receive a verification code or approval notification to an account they choose. Washington College recommends users select the option where they get a text message on their cell phone with the verification code to enter.
There are several options institutions can use for a secondary form of authentication for MFA, but the most secure option is the Microsoft Authenticator app. That’s because users need to reconfigure the app if they want to transfer it to another phone; that’s not the case for the other options available.
There haven’t been major issues with the MFA rollout, just small hiccups when, for example, people change phones or passwords.
“It’s very straightforward, and it’s working fine,” Garcia-Escalante says.
More Strategies to Improve Your Cybersecurity
Based on Garcia-Escalante’s experiences, he recommends institutions, regardless of their size and resources, consider these additional strategies when improving cybersecurity efforts:
Don’t Rely Solely on MFA to Protect Your School
There have been no reports of compromised accounts since MFA launched at the college in September 2021. But the college still has other vulnerabilities it’s trying to close.
Strengthening email security will allow the college to quarantine junk or suspicious email, protecting it from receiving spam, ransomware, malware, and phishing attacks.
Ensuring strong endpoint security exists will block dangerous applications and downloads. For example, it will protect the college from malware attacks when employees click on inappropriate links from work-issued laptops or cell phones.
Provide Training on Threats
To help users recognize and report security threats, Washington College’s OIT released UE’s courses on data security, including phishing, malware, and passwords.
Any cybersecurity training on subjects like phishing and ransomware attacks should be mandatory and provided at least monthly.
“I know it seems like five to 10 minutes might be a waste of time, but it is not,” Garcia-Escalante says. “The way these intruders are evolving, it’s better to get ahead of them. Be proactive.”
Remind Students and Staff to Protect Unique Passwords
Even with MFA, it’s important to warn students and employees to use strong, unique passwords to protect themselves from hackers. They also should keep their passwords confidential and should not use the same passwords on multiple sites.
Passwords should be easy to remember and difficult to guess.
Also, remind users not to use “password” as a password.
More From UE
Data Security Course Collection
Don’t Take the Bait: Defending Institutional Data From Phishing