Cybersecurity is not just for the geeks in the IT department
Our first-year university students might have received no education on cybersecurity since the age of 13, say Andy Phippen and Emma Bond
You may also like
While many in the higher education sector view cybersecurity knowledge as solely the domain of the IT department, computer science students or shadowy hackers, this year has highlighted many examples of how online learning, and students’ wider use of online platforms, would benefit from a greater understanding of online security fundamentals.
Protecting one’s devices from unauthorised access and the downloading of personal images, or preventing someone from playing pornography in an online class, requires not only awareness of harms and the correct safeguarding policies but also some technical capabilities to help everyone mitigate digital risk.
The need for online safeguarding to extend into higher education is, thankfully, gaining traction, albeit hampered in the UK by a lack of interest from the regulator. It is perhaps unsurprising that this has garnered greater interest in a year of online teaching and the associated online pastoral support for students.
As two academics who have worked hard to encourage universities to engage with online safeguarding in a proactive manner over recent years, we are pleased to see an increase in coverage in the higher education press, along with calls from institutions for help defining policy, raising student awareness or putting systems in place to support students at risk of online abuse. Obviously, this THE Campus Spotlight addressing many aspects of online safeguarding reflects the increased importance placed on the topic by the sector.
However, one aspect that seems to be missing from these discussions is the intersection between online safeguarding and cybersecurity. Both disciplines have at their heart the wish to manage risk when online, but from an educational perspective it seems that the two exist on parallel tracks with no chance of convergence in the future. This is not unique to HE; we see similar a situation in statutory settings, where online safety is viewed as an aspect of social education and cybersecurity is a technical skill.
However, to take a simple example, if someone shares intimate images with their partner, it is possible that these images end up in a cloud store. Without effective password practices – using strong passwords that aren’t easy to break or, even better, two-factor authentication – the subjects of those images are immediately placed at risk should someone try to guess the password to the store and download and distribute those images. Put simply, good cybersecurity knowledge results in a better skill set to mitigate the risk of online abuse.
If we are concerned about the level of online safeguarding knowledge of our students when transitioning from school to university, we should be doubly concerned about their cybersecurity knowledge.
While there are some statutory requirements for schools to deliver some form of online safety education to their students (notwithstanding education poorly defined in national guidance and rarely inspected by the regulator), no such requirements relate to cybersecurity knowledge. While there is some coverage of cybersecurity basics in the computer science curriculum in schools, there is no requirement to study this subject beyond Key Stage 3. Or, to put it another way, our first-year university students might have received no education on cybersecurity since the age of 13.
When extending the cloud store scenario above around the need for effective authentication knowledge, we have had many discussions with students about the use of technology in personal relationships.
While initially surprised by disclosures, we have become used to confessions of sharing passwords and devices with partners “because we trust each other”, only to see relationships break down and subsequent unauthorised access to devices and file stores, which has resulted in coercive control and harassment by the once-trusted ex.
Again, with better knowledge of access control, and the associated rationale for not sharing the means to access devices with others, regardless of how much they love each other, a mitigation of risk of abuse in these scenarios is achieved.
From a staff perspective, there is certainly a need to be aware of cybersecurity fundamentals in delivering education online and helping students mitigate their risk of harm. We have seen increased attacks on the higher education sector recently, sufficient to raise concerns for the National Cyber Security Centre, which has updated its guidance to the sector regarding how to address ransomware.
While the infection vectors of recent attacks have not been determined to date, we know that phishing – disclosing data such as usernames and passwords as a result of being misled by convincing emails – is a popular route and there have been successful, high-profile phishing attacks on the sector in the past.
Further examples of the need for cybersecurity knowledge come from issues that have arisen around Zoombombing, where pornographic content has been played during online lectures. In some cases it seems that unknown participants play this content; in other cases it is known students. Regardless, good knowledge of access control means that, first, the lecture is not open to those without a password and, second, participants are not provided with the means to take over a session. Furthermore, a knowledgeable member of staff will know how to manage, and if necessary eject participants from, a session.
Clearly, there is real need for cybersecurity knowledge that extends far beyond corporate IT – a digitally resilient institution is one that has effective safeguards in place but also one that equips all stakeholders with the knowledge to keep their, and corporate, assets protected. While this might seem like yet another call for yet another session of staff training and student education outside their programme of study, these are, essentially, life skills. They are as fundamental to employability as the capability to construct a CV.
Andy Phippen is professor of digital rights at Bournemouth University and Emma Bond is professor of socio-technical research at the University of Suffolk. Between them they have more than 30 years’ experience researching online safeguarding.