Executive Summary
There is a relative vacuum in the research on cyberhygiene in online education. Cyberhygiene refers to practices internet users need to follow in order to safeguard their devices and their personal information (Miedema, 2018). The U.S. Department of Education’s assessed that, overall, the American higher-education sector is in the infancy of cyber security maturity (IFAP, 2018). Furthermore, since online higher-education enrollments continue to climb, four generations are overlapping in the workplace (ranging from digital immigrants to digital natives), the technology undergirding online education continues to grow and transform, and we have witnessed numerous data breaches, it becomes important for the online segment of distance education to focus on cyberhygiene.
The Problem and Its Significance
Dr. Curtis Carver, former Vice Channellor and CIO of the Board of Regents for the University System of Georgia noted that if a nation state wishes to break into an education institution, it will (Zalaznic, 2013). Even more troubling, Admiral Michael Mullen, the former director of the National Security Agency, remarked that just about every major enterprise has already been hacked and the attackers may have left dormant malware behind (Zalaznic, 2013).
Academic and military professionals agree that cybersecurity requires the full and urgent attention of everyone involved in higher education.
Cyber criminals are often after proprietary information they need for themselves or intend to sell to the highest bidder whether a nation state or buyers on the digital back market. In some cases, they may go as far as destruction (Chalfant, 2017). According to a 2017 Computer World news analysis, a single Russian-speaking hacker breached twenty-four U.S. universities, including institutions such as Arizona State University, Cornell University, Purdue University, Virginia Tech, etc. (Storm, 2017). Penn State was hacked in 2015 resulting in the compromise of usernames and passwords; in this case, the FBI attributed the criminal activity to a nation state (Barron, 2015). In 2016, Michigan State University was hacked, resulting in the theft of the social security numbers, student ID numbers, and dates of birth of some 400,000 students and graduates (Matthews, 2016). American institutions are not the only targets of cyber crime. In 2016, the University of Calgary was hacked and the criminals asked for an approximately $15,000 ransom payment, which the university paid (Matthews, 2016). Oxford University, University College London, and Warwick University have all been targeted by countless and relentless cyber theft attempts, some successful, looking for sensitive data, such as military and medical research data (Fish, 2017). The potential impact of cyber crimes on higher-education institutions could amount to millions of dollars and damaged reputations (Zalaznick, 2013).
Regulations and Legislation
The Federal Student Aid office of the U.S. Department of Education notes that the higher-education sector has a low cyber-security maturity level combined with the high risk of owning different types of sensitive information; as a result, beginning with the fiscal year 2018, all post-secondary institutions participating in federal student-aid programs will be subject to audits of student-security information (IFAP, 2018). Additionally, the Student Aid Internet Gateway Agreement requires that any suspected or detected university data breaches be reported on that same day via cpssaig@ed.gov (IFAP, 2018; SAIG, 2018). Failure to do so can result in fines of up to $54,789 per violation all the way up to loss of ability to participate in federal student-aid programs (IFAP, 2018).
The timing of these federal mandates corresponds with the overall recent thread landscape, which includes multi-million-dollar digital bank thefts, disrupted presidential elections, and nation-state actors moving from espionage to sabotage (Symantec, 2017). Many of these cyber security breaches were inflicted with basic technology tools and cloud computing (Symantec, 2017). Not surprisingly, the number one IT issue in 2019 is information security strategy, to be understood as “developing a risk-based security strategy that effectively detects, responds to, and prevents security threats and challenge” (EDUCAUSE, 2018, slide 5).
Numerous federal regulations are currently in effect to protect information in higher education, as follows:
• FERPA, which stands for the Family Educational Rights and Privacy Act (FERPA, 1974) requires the protection of student education records.
• FISMA, which stands for the Federal Information Security Modernization Act (FISMA, 2014) requires that federal data be kept secure.
• GLBA, which stands for the Gramm-Leach-Bliley Act (GLBA, 1999) requires the protection of customer’s personal identifiable data.
• HEA, which stands for the Higher Education Act (HEA, 1965), requires thet higher-education institutions with Title IV programs offer information-security protection.
• HIPAA, which stands for the Health Insurance Portability and Accountability Act (HIPAA, 1996), requires the protection of patient health records
• SAIG, which stands for the Student Aid Internet Gateway Enrollment Agreement (SAIG, 2018), requires that highereducation institutions with Title IV programs protect Federal Student Aid applicant information.
Two Sides of the Issue
Who should be responsible for keeping institutional data secure? The institutional office of information security? Or each and every one of us? Dr. Michael Nowatkowski, Associate Professor of Information Security at the Augusta University Cyber Institute, Program Director for Cyber Science at the Augusta University Cyber Institute, and part time Senior Research Fellow for the Army Cyber Institute at West Point, NY uses the following metaphor to explain the two sides of this issue (Laws, Nowatkowski, Heslen, and Vericella, 2018):
Imagine a home. Imagine the owners are leaving on vacation. The local police patrols the neighborhood frequently, so the home owners feel secure. Yet if they were to leave their front door unlocked or a window open, a burglar could easily enter the house in between police patrols. To keep the house secure, therefore, the family can not just rely on police protection. They need to take personal responsibility by locking their doors and shutting their windows. For added safety, they may also wish to install a security system that can alert local law enforcement if a burglar is trying to force his or her way into the house.
Similarly, in higher education, the institutional office of information security is responsible for keeping everyone safe from cyber threats. If an employee gets up from her desk and leaves sensitive data on the computer screen, an ill-intended passer-by could steal or corrupt the data. If a human-subjects researcher takes his work laptop on a business trip and the laptop is stolen from his hotel room, all the sensitive data can be used maliciously by the thief. If a staff member uses the password “12345” for all credentials, even the least experienced hacker can guess that password and gain access to confidential data. If a faculty uses free software with his students, he opens up the possibility that the information students input into that application can pose a privacy and security threat. If a student accesses her online class through free wifi, her web traffic is vulnerable to malicious eavesdroppers. It is important for all higher-education stakeholders to not simply rely on the institution’s information-security office, but to take personal cybersafety or cybersecurity measures.
Recommendations
At the institutional level, it is expected for chief information security officers to work closely with internal and external cybersecurity units to prevent, respond to, and recover from cyberthreats (Drinkwater, 2017; Trevors & Wallen, 2017). One recommendation is for higher-education intuitions to assess their current IT vulnerabilities, to implement an enterprise-wide risk-
management program, to abide by national best practices, and to practice cyberhygiene involving the entire campus (COMEVO), 2018; Zalaznick, 2013). Additionally, the following cyberhygiene best practices are recommended for all who operate in the highereducation field:
• Strong passwords. Passwords should to be at least 10 characters long and include a mix of at least one number, lowercase and capital letters, and special characters (Defta, 2011; Nield, 2017). It is best to aim for hard-to-guess, seemingly random passwords (might consist of the first letter of a sentence that is only meaningful to the person who set it) and to opt for twofactor authentication whenever available (Nield, 2017; University of Oklahoma, 2018). Besides setting strong passwords, it is important to have unique passwords for each account and to keep passwords secret (Trevors & Wallen, 2017).
• Anti-virus software. While institution-provided computers most likely contain anti-virus protection, it is important for online administrators, faculty, and students to protect their personal desktop and/or mobile computing devices with antivirus software. When choosing a robust antivirus software program, features to look for include email protection, automatic updates, as well as anti-phishing, anti-malware, anti-trojan, anti-ransom ware, anti-spyware, anti-worm, to name a few (Komen, 2017).
• Update Software. Work, school, and personal computers should stay up to date with the latest operating-system security patches and web browser updates. For personal computers, it is recommended to opt for automatic installs of any available patches. Additionally, computer users need to manually check for updates from third-party software applications such as Adobe or Java (University of Oklahoma, 2018).
• Free Software. In an effort to reduce cost to students, some faculty elect to require the use of free versions of software applications. While many free software applications may be reputable and safe, some may have the potential to harm the user's computer or to cause a loss of privacy. Free software can harm the user's computer if the software is infected with a virus or other malicious program. Privacy can be lost if the free software contains spyware or keyloggers (Norton Online Security, 2018).
• Free or Public WiFi. Free or public WiFi offers great convenience for connecting to high-speed networks, but does so at a very high risk. If the user is sending any sensitive information, such as personal emails, banking information, FERPA data, or HIPAA data, a malicious eavesdropper would be able to see all of that sensitive information (Bencie, 2017).
• Least privilege. The concept of least privilege refers to limiting a user’s access and authorization to only the amount needed to complete a task (Saltzer & Schroeder, 1975). Administrator privileges are required for tasks such as creating new user accounts, installing software, and modifying system files. Standard user accounts do not require authorization or access to accomplish those tasks.
References
Barron, E. (2015, May 15). A message from President Barron on cybersecurity. Retrieved from http://news.psu.edu/story/357654/2015/05/15/administration/message-president-barron-cybersecurity
Bencie, L. (2015, May 3). Why you really need to stop using public wi-fi. Retrieved from https://hbr.org/2017/05/why-you-reallyneed-to-stop-using-public-wi-fi
Chalfant, M. (2017, June 29). Senators introduce ‘cyber hygiene’ bill. Retrieved from http://thehill.com/policy/cybersecurity/340160senators-introduce-cyber-hygiene-bill
COMEVO (2018, September 25). 6 cybersecurity best practices in higher education. Retrieved from https://www.comevo.com/6cybersecurity-best-practices-in-higher-education/
Defta, L. C. (2011). Information security in e-learning platforms. Procedia - Social and Behavioral Sciences, 15(3rd World Conference on Educational Sciences - 2011), 2689-2693. doi:10.1016/j.sbspro.2011.04.171. Retrieved from https://www.sciencedirect.com/science/article/pii/S1877042811007178
Drinkwater, D. (2017, June 26). 10 steps for a successful incident response plan. Retrieved from https://www.csoonline.com/article/3203705/security/10-steps-for-a-successful-incident-response-plan.html
EDUCAUSE (2018, November 01). The EDUCAUSE 2019 top 10 IT issues. Retrieved from https://events.educause.edu/annualconference/2018/agenda/educause-top-10-it-issues
Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g (1974). Retrieved from https://www.law.cornell.edu/uscode/text/20/1232g
Federal Information Security Modernization Act (2014). Retrieved from https://www.dhs.gov/cisa/federal-information-securitymodernization-act
Fish, I. (2017, September 5). Oxford, University College London and Warwick are targeted by hundreds of cyber attacks by hackers 'stealing university secrets for foreign powers. Retrieved from http://www.dailymail.co.uk/news/article-4852938/OxfordUniversity-College-London-Warwick-targeted.html
Gramm-Leach-Bliley Act (1999). Retrieved from https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacyconsumer-financial-information-rule-gramm
Health Insurance Portability and Accountability Act (HIPAA, 1996). Retrieved from https://www.hhs.gov/hipaa/index.html
Higher Education Act (HEA, 1965). Retrieved from https://www.govinfo.gov/content/pkg/STATUTE-79/pdf/STATUTE-79Pg1219.pdf
IFAP (2018). Frequently asked questions. Retrieved from https://ifap.ed.gov/eannouncements/attachments/CyberFAQ.pdf
Komen, S. (2017, April 19). Important features to look for in an antivirus. Retrieved from https://antivirus.bunifu.co.ke/importantfeatures-to-look-for-in-an-antivirus/
Laws, G., Nowatkowski, M., Heslen, J., & Vericella, S. (2018, June 27). Guidelines for cyberhygiene in online education. Presented at the 2018 Distance Learning Administration Conference, Jekyll Island, GA.
Matthews, L. (2016, November 19). Michigan State University hacked, student data stolen. Retrieved from https://www.forbes.com/sites/leemathews/2016/11/19/michigan-state-university-hacked-student-datastolen/#98dbb9444837
Miedema, T. E. (2018, February). Engaging consumers in cyber security. Journal of Internet Law 21(8), pp. 13-15.
Nield, D. (2017, March 27). How to choose safe passwords and remember them too. Retrieved from https://www.popsci.com/howto-choose-safe-passwords
Norton Online Security (2018). Dangers of free downloads. Retrieved from https://www.nortonsecurityonline.com/securitycenter/dangers-of-free-downloads.html
Saltzer, J. H. & Schroeder, M. D. (1975, September). The protection of information in computer Systems. Proceedings of the IEEE, 63(9), pp. 1278-1308. doi: 10.1109/PROC.1975.9939
SAIG (2018, January 14). Welcome to the SAIG enrollment site. Retrieved from https://fsawebenroll.ed.gov/PMEnroll/index.jsp
Storm, D. (2017, February 15). Hacker breached 63 universities and government agencies. Retrieved from https://www.computerworld.com/article/3170724/security/hacker-breached-63-universities-and-government-agencies.html
Symantec (2017). 2017 Internet security threat report. Retrieved from https://www.symantec.com/security-center/threat-report
Trevors, M. & Wallen, C.M. (2017). Cyber hygiene: 11 essential practices. Retrieved from https://insights.sei.cmu.edu/insiderthreat/2017/11/cyber-hygiene-11-essential-practices.html
University of Oklahoma (2018). Cybe hygiene. Retrieved from www.ou.edu/ouit/security-old/cyberhygiene
Zalaznick, M. (2013, September 23). Cyberattacks on the rise in higher education: Foreign governments and organized crime targeting institutions’ most sensitive information. Retrieved from https://www.universitybusiness.com/article/cyberattacksrise-higher-education