Campus Review Volume 28 - Issue 10 | October 2018 | Seite 29

Technology
campusreview.com.au
through targeting messages for greater
relevance. Schedule messages to send
at times when people will see them.
3
Train and reinforce
The cyber security landscape is
continually evolving – apps, the Internet of
Things and more sophisticated threats all
add complexity. When staff are your first line
of defence, training is the armour they need.
Increasing risk awareness and process
knowledge, through staff training programs,
is the surest way to effect sustained
behavioural change. Regular sessions will
embed learnings such that they become
second nature, as well as ensure any new
staff are included.
Tip: Maximise attendance by promoting
your training sessions in a pop-up RSVP
tool. Make your sessions available to
remote staff or those who couldn’t attend
via video alerts.
4
Share learnings
There is a wealth of helpful tips available
for better cyber security practice. Staff may
have become aware of them in roles at
other companies, or through their own web
research. Listing every such tip would create
an article dozens of pages long!
But there is value in sharing best practices
– things like how to identify what phishing
emails look like (plus examples), or why you
need to check the URL of a web link before
clicking on it. Not only does this increase the
volume of your in-house knowledge, it also
helps foster positive learning behaviour.
Tip: Establish a collaborative online forum
which allows staff to submit cyber security
tips (with your IS Manager as moderator).
Apply tagging to each such that they may
easily be categorised by type (for example,
email, procedure, social media) and will
appear in related user searches.
5
Define escalation process
Cyber security risk is increasing.
Networks at some of the top institutions,
such as Oxford University, have been
compromised.
Despite every best effort, sometimes
the worst happens. The readiness of your
response determines how well you’ll
emerge when the dust has settled. Ensure
that crisis management procedures are
documented, and involve representatives
from every department.
Tip: Practise your plan with dummy
scenarios periodically (after all, you do this
for physical exercises like fire drills). Make
these as realistic as possible, and ensure all
key personnel are involved.
6
Build an online database
In protecting your organisation from the
risk of cyber attack, you’ll amass a wealth
of information – compliance policies,
procedures, secure password tips, web
browsing guidelines, FAQs and key contacts.
Making these available in a single
repository not only allows staff to easily
access them, it also makes maintenance
simpler for you. This area is continually
added to over time and becomes the single
source of truth for all things cyber security.
Tip: Work with your IT team to create a
dedicated section on your intranet. Advise
staff each time updates are made. Bring
cyber security to life by including staff
quizzes to test knowledge.
7
Engage students
Students introduce a significant element
of risk to cyber security. They’re significant
users of communal computers, such
as those available for use in your library.
They’re also likely to be more relaxed about
risk – either because they underestimate the
danger or are simply indifferent to it.
Any tactical plan around cyber security
must include the ability to target students –
in any faculty, on any campus.
Tip: Digital signage in common areas like
libraries are highly visible tools that can
help promote best behaviour practices.
8
Foster a cyber-safe culture
Encouraging a security culture helps
your efforts by sharing the responsibility
and making everyone part of the solution.
This ensures all staff are focused on the risk
– particularly important today.
Cyber attacks on educational institutions
are growing. In the first half of 2017, there
was a 103 per cent increase in breaches in
the education sector – one of the largest
jumps among any industries. A culture of
awareness is a culture of preparedness.
Tip: Reinforce best practice and
promote cyber security tips through
passive channels, such as corporate
screensavers. Introduce storytelling to your
communications via real-world examples.
9
Simulate attacks
So, you’ve trained staff on how to act,
provided them with the tools to do so,
perhaps even tested their knowledge, but
how confident are you that they will act in
the best way when an attack occurs?
The best way of gauging this is to
simulate an incident: a phishing email
distributed to all staff. The IS team monitor
all interactions with it, including how many
times dangerous links or attachments
are clicked on. Reporting on this, and the
specific staff who committed this cyber
no-no, helps identify additional training
needs before a real event occurs.
Tip: Use progressive email testing in your
simulations, where content is increasingly
difficult to identify as malicious, to help
define your potential risk level.
10
Repurpose useful content
When it comes to prevention
of cyber security risk, don’t reinvent the
wheel. A lot of material has been written on
the subject already, some of which may be
readily available through your institution’s
partner network.
To assist your ongoing employee
education, repurpose content, for example,
from your virus-protection vendor, and
tailor it for your audience. Physical material
can also be made available in student
common areas, such as libraries.
Tip: Get a list of vendors from your IT
department and evaluate which has
valuable content that you can make use of.
ATTRACTIVE TARGETS
As institutes of higher learning, with the
personal details of thousands of students
on file, universities are expected to
exhibit the highest level of cyber security.
This becomes increasingly challenging
as hackers see the industry as an
attractive target.
Fortunately, there is much that
higher education institutions can do to
mitigate against the risk. In this case,
a little knowledge is definitely not a
dangerous thing.
Michael Hartland is an internal
communications specialist at
SnapComms, a leading global provider
of digital employee communication
solutions.
27