Dennis started a new job at a local university. He received cybersecurity training as part of his onboarding, but he didn’t pay much attention. He’s received similar training in the past and knows all about strong passwords and what to look out for in a phishing email.
Dennis’s third week of work was during finals. Students were cycling in and out of his office, and coworkers were blowing up his email. In between meetings with students, he would go through his inbox as quickly as he could, skimming over content and prioritizing tasks that would take the least amount of time.
When Dennis came across an email asking him to confirm his new account, he clicked the confirmation button, plugged in his credentials (which were the same across all his university accounts), and filed the email away as another task completed.
Soon after, the university experienced a ransomware attack. The networks were compromised and rendered the school Wi-Fi unusable. They were forced to cancel all online and hybrid classes, and finals were forced to be extended, impacting graduation.
Did you spot the red flags?
- Dennis didn’t pay attention to his onboarding because he thought he knew the content, but such training could have provided him with university specific cybersecurity best practices
- Dennis used the same credentials across all university platforms, even though he claimed to have known about strong passwords. There is a difference between knowing, and doing, and in order for cybersecurity training to be effective, the knowledge learned must be put to use in order to protect data.
What you should know about this scam
In academia, it is often the responsibility of IT to provide privacy governance, but a community culture that emphasizes everyone’s duty to protect data would help serve all organizations.
Universities face a unique vulnerability with a large portion of their users living “on site,” and experiencing high turnover. Addressing concerns that are specific to a company’s niche could prevent scammers from targeting such weaknesses.
For universities, January and May sees a peak in cybersecurity incidents. This is during finals when students and staff are busiest. Other institutions may also find that their busy season corresponds with an increase in unintentional data disclosures.