How can Higher Ed better prepare cybersecurity students for a hot job market?

Behind every new report of a data breach, data leak, or computer hack is a company scrambling to put out the fire, which is great news for job seekers or soon-to-graduate students with cybersecurity skills. Unfortunately, this is bad news for most companies because there is currently an imbalance between the supply and demand of skilled professionals to address these vulnerabilities.

Cybersecurity person looking at tablet

The 2018 (ISC)2 Cybersecurity Workforce Study estimates a global shortage of cybersecurity professionals of around three million workers. This shortage of skilled job seekers is having a real-world impact on companies and the people responsible for cybersecurity at those companies. The study also points out that Gen X and Baby Boomer workers make up about half of the current cybersecurity workforce, leaving many entry-level opportunities for new college graduates and pathways for growth as these more experienced workers approach retirement age.

The need for trained cybersecurity professionals is not going to go away. The US Bureau of Labor Statistics projects a 28% growth in US employment for cybersecurity consultants between 2016 and 2026. How can we help our students go beyond the theoretical concepts taught in computer science or cybersecurity classes and make themselves more attractive to future employers? We need to take the lead to encourage students to take the initiative to learn more about current issues in cybersecurity and take advantage of the many cybersecurity resources available.

Here are some ways you can help your students and contribute to narrowing the cybersecurity skills gap:

  • Hold informational sessions on cybersecurity. Help spread the word on your campus about the cybersecurity skills gap and job opportunities. You could ask your CISO or information security team to conduct a cybersecurity seminar or invite local experts to share their knowledge and expertise with your students. The Enterprise Security Team at The Ohio State University has already implemented this idea, and they sponsor an annual and free on-campus Cybersecurity Days event to expand knowledge of security and data protection for their entire college community.
  • Sponsor or encourage membership in student associations. There are two student cybersecurity organizations for your students to explore—National Cybersecurity Student Association and Women in CyberSecurity (WiCyS). The National Cybersecurity Student Association has a number of resources on their website, and you can sign up for their newsletter or follow their Snapchat account to view a day in the life of a cyber student or industry professional. The WiCyS is dedicated to bringing together women in cybersecurity from academia, research, and industry to share knowledge, experience, networking, and mentoring. You can also explore setting up a local WiCyS student chapter on your campus.
  • Offer campus internships. In addition to knowledge of advanced cybersecurity concepts, the most important qualification for cybersecurity employment is relevant work experience. You can help your students by hiring them as interns in your institution’s information security department. This offers students real-world experience while providing supplemental staffing for your department. For suggested qualifications and responsibilities, use the Information Security Intern Job Description Template on the EDUCAUSE website as a starting point.
  • Identify scholarship opportunities. The CyberCorps: Scholarship for Services, funded by the NSF, provides up to $22,500 per year for undergraduates and $34,000 per year for graduate students. In return, students commit to work in a for a federal, state, or local agency for a period matching the length of their scholarship. The Cyber Security Degree website provides a comprehensive list of additional cybersecurity scholarships and other career resources.
  • Encourage students to deepen their knowledge. The NICCS Education and Training Catalog is a central location where cybersecurity professionals across the nation can find more than 3,000 cybersecurity-related courses. Anyone can use the interactive map and filters to search for courses offered in their local area to add to their skill set, increase their level of expertise, or earn a certification. You could also direct your students to take advantage of the free online courses offered through edXUS Department of Homeland Security, Cybrary, or SANS Cyber Aces Online.
  • Attend cyber competitions. Institutions with an information assurance or computer security curriculum can give their students an additional way to hone their skills and have fun by participating in regional events hosted by the National Collegiate Cyber Defense Competition (NCCDC). The top regional teams can then go on to the National Championship, which was won by University of Virginia in 2018. Another cybersecurity competition for high school and college students is the National Cyber League (NCL), is a defensive and offensive puzzle-based, capture-the-flag style competition. All participants play the games simultaneously and are tested with real cybersecurity challenges they will likely face in the workforce.
  • Participate in cybersecurity conferences. Students may be interested in the educational and networking opportunities from attending the annual conferences for the National Cybersecurity Student Association or Women in CyberSecurity. For additional conferences in your area, InfoSec publishes a comprehensive list with hundreds of cybersecurity events in the United States, Europe, and Asia.

Campus Security Awareness Campaign 2019

This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. The campaign is brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).


The IT Team can’t do It alone—Cybersecurity is everyone’s responsibility

Higher education institutions use lots of data every day. Payroll information, health insurance information, payment card information, and student information that includes financial aid information are just a few of the most sensitive data elements that are shared. These data elements are shared within institutions and with the vendors we do business with daily. It is not just IT departments that need to understand the information security requirements needed to protect these data. Every department that uses data needs to understand how to properly secure the data entrusted to it. Information security is a shared responsibility, and we offer the following tips to share with your campus community.

Did you know?

In 2017 the education industry (which includes K–12 and higher education institutions) had 7,837,781 records breached in 35 events. To put that into perspective, the healthcare industry had 6,058,989 records breached in 428 events, and the retail industry had 123,652,526 records beached across 33 events. (See Privacy Rights Clearinghouse Chronology of Data Breaches, 2017 data.)

More than half of the breaches in the education sector were caused by activities directly attributable to human error, including lost devices, physical loss, and unintended disclosure (see figure 1). These breaches were arguably preventable through basic information security protection safeguards.

bar chart showing types of security breaches among educational institutions
Figure 1. Types of security breaches among educational institutions

What can you do every day to protect data?

There are very few, if any, verticals such as higher education that transmit, process, access, and share such varying sensitive data elements. There is not a “one size fits all” blueprint for information security controls that all institutions can follow. Yet all campus members have a responsibility to know basic information security protections to safeguard data and prevent those data from being mishandled:

  • Update your computing devices: Ensure updates to your operating system, web browser, and applications are being performed on all personal and institution-issued devices. If prompted to update your device, don’t hesitate—do it immediately.
  • Enable two-factor authentication: Whether for personal use or work, two-factor authentication can prevent unauthorized access even if your login credentials are stolen or lost.
  • Create really strong and unique passwords: Create unique passwords for all personal and work accounts. In today’s environment, one of the best ways to create a really strong password is to use a password manager for all of your accounts. A password manager will alleviate the burden of having to memorize all the different complex passwords you’ve created by managing them all in one “vault” and locking that vault with a single master password.
  • Protect your devices: Using biometrics or six-digit passcodes on smartphones and tablets is critical to keeping curious minds from accessing personal information, work email, or retail/banking applications. It also helps protect your device if you lose or misplace it.
  • Understand where, how, and to whom you are sending data: Many breaches occur because of “oopsie moments” where we accidentally post sensitive information publicly, mishandle or send to the wrong party via publishing online, or send sensitive information in an email to the wrong person. Taking care to know how you are transmitting or posting data is critical.

Getting ready to send data to a vendor or sign a contract? With more and more services moving to the cloud, higher education institutions have an additional obligation to ensure that third parties are protecting our most sensitive information. If you or your department is looking to purchase or adopt a service or technology that uses institutional data, it is imperative that you include information technology at the beginning of the project or contract process to help ensure that data are properly protected. To determine whether or not IT should be involved in the vendor/contract process, ask yourself the following questions:

  • Does the project (and in-scope technologies) involve the handling or storage of personal data (e.g., student data, employee data, donor data, research data, or financial data)?
  • Does the project (and in-scope technologies) involve the handling or storage of personal data that is regulated by government entities or has special contractual obligations to a third party (e.g., contract sponsored for research)?
  • Is there transfer of any institutional data from an institution-owned system or device to a third-party vendor-contracted system or device?
  • Does the project involve acquiring/implementing/developing software, services, or components that your institution has not previously deployed?
  • Does the project involve providing a new data feed to an existing campus partner?
  • Does the project involve accepting card payments in any way?

If the answer to any of the above questions is “yes,” collaborate with your IT department at the beginning of the project to ensure that institutional data are properly protected.

Campus Security Awareness Campaign 2019

This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. The campaign is brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).


Information security to go

From Stay Safe Online’s Wireless Safety Tips for Travelers

Many people love the adventure that traveling provides: meeting new people, seeing new places, and having new experiences are part of the allure. Technology makes it easier than ever to satisfy our wanderlust. We can use our connected devices to discover the exotic locales we wish to visit, book tickets on planes and trains, practice driving virtually, and seamlessly navigate once we get to our final destination. For all this ease that technology brings, we should prepare our technology for travel as carefully as we plan our travel itineraries.

Travel tips

  • Back-up your data! Backing up your data ensures that you won’t lose information if your device is lost or stolen. Consider encrypting your data as well, but check with your IT support staff first about how best to implement encryption.
  • Protect your devices with a strong password or lengthy passcode. Sometimes devices get lost or stolen, even when we are being careful. By protecting your device with a passcode or lengthy password, you make it harder for your device to be used and data to be accessed by others.
  • Make sure your devices and applications are up to date. Keep your applications and devices up to date and patched. This helps protect your device and data from security vulnerabilities and threats.
  • Just say no to unsecured public Wi-Fi. Having a wireless connection is almost a necessity for the modern traveler. However, using an unsecured public Wi-Fi hotspot can allow others to view the contents of your electronic activity. Never access your sensitive financial accounts from an unsecured network. If you must access sensitive data from an unsecured network, be sure that you use a VPN service.
  • Double-check your MFA settings. Many of us rely on multifactor authentication (MFA) to secure both personal and work-related accounts. Be sure that you know how (or if) that will work in the countries that you are visiting. For instance, if your MFA relies on SMS, be sure that you will be able to receive that message in the destination that you are visiting. If the option is available to you, consider using a physical token option to ensure you’ll be able to login to your accounts.
  • Update your physical location with your password vault. Many people use password vaults to manage all of their account passwords. Don’t be surprised if your password vault requires additional verification steps when logging into it from a location that is not in your home country. (After all, we count on these vaults to be secure!) Check the vendor documentation or your account settings to make sure that there are no country restrictions or settings that you need to change before your trip. Also double-check that you’re able to access your recovery/secondary email address just in case there is an issue.
  • Consider leaving your daily devices at home. If you are traveling to a location where you are concerned about your individual privacy rights, consider leaving your primary mobile device at home and purchasing a replacement device to take with you instead. Put only the apps, services, and data that you need for that trip on the device. Some businesses and colleges and universities offer programs where a traveler can check out a “clean laptop” when traveling for business purposes. Using these types of devices help limit any exposure of your personal data. Check your data plan as well. A “burner phone” or car GPS may be cheaper.
  • Be smart about posting on social media. It is always fun to post vacation pictures in the moment, but online postings on social networks (e.g., Twitter, Facebook, Instagram, Snapchat, etc.) can let other people know that you are not at home and that your home may be empty. Posting vacation pictures on social media once you are safely home helps protect your physical belongings.
  • Use hotel safes to protect your technology. Here’s another place where there is an overlap between online safety and physical safety. Just like you would put your passport, jewelry, and money in a hotel safe, consider using that safe to hold your electronic devices when you are not carrying them with you. Not only are the devices themselves expensive to replace, your personal data contained in the device can be irreplaceable (especially if you skipped the first tip on this list).
  • Remember your adapters! Make sure you have power adapters that will work with three-prong plugs and that they fit the country’s outlets. Some travel adapters only accept two-prong plugs. (If you’re attending a conference, you may be able to borrow a charging cable temporarily.) Outlets also vary, even, for example, between the UK and Ireland. Your technology gadgets are not very helpful when they run out of charge or cannot be powered on. Charge and take a portable battery pack.
  • Mind your voltage! Like plug types, different parts of the world use different voltages. Make sure that your technology devices can run on the voltage used at your destination. Getting shocked with 220V is not the same as 110V.

As surely as you can reduce wrinkles in your clothing with careful packing, so too can you avoid the most common technology travel woes by preparing before you leave home.

From The Barefoot Nomad’s How Not to Fry Your Smartphone Overseas: A Quick Guide

Campus Security Awareness Campaign 2019

This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. The campaign is brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).