Mobility is just part of everyday life for the vast majority university students, like electricity or tap water. They come to campus with mobile phones, laptops, consoles, and wearables without many concerns about securing their devices or protecting campus networks.
This is precisely why American universities need to establish a clear framework for private mobile device use inside campus premises.
According to CIO Magazine, implementing and enforcing good BYOD, or bring-your-own-device, policies has even challenged such highly regulated organizations as finance companies and government agencies.
It's easy to imagine the impact of BYOD on university IT services when you realize they house the most connected generation in history.
The Difficulties of Managing BYOD in Universities
The CTO of the University of Kentucky, Doyle Friskney, agreed that controlling BYOD on campus presents challenges that businesses may not face. Students expect to use their devices with the school's internet connection for classwork, entertainment, and even socializing.
Companies have considerable leverage over people they issue paychecks to, but colleges on the other hand understand that students pay tuition that helps support the institution itself. Universities don't just need to get employees to comply with security policies; they also need to enforce them with their 'customers'.
It's clear that Universities and students don't have any immunity to sophisticated and common digital threats. The same attacks that compromise finances, personal information, or even private research could generate losses, lawsuits, compliance penalties, bad press, and in the worst cases, criminal charges to any school.
Communicating the School's BYOD Strategy
While college IT departments must contribute by implementing security measures like two-factor authentication and firewalls, students also need to understand that they need to do their part.
Recent IBM research has concluded that most cyber attacks result from intentional or unintentional cooperation from people who are already authorized to use the affected computer system. These days, inside jobs may pose worse threats than sophisticated hackers from outside an organization.
Make Sure Students Understand the Rules for Using Their Own Devices
Colleges need to let students know that they are serious about computer security and the consequences for failing to cooperate with policies. In order to accomplish this, some colleges require students to read and sign an online contract before they can access the school's network.
They may even take the extra step of having students take an online class about computer security colleges before signing the contract and gaining access.
Some highlights of this campus computer security document might include:
- Students must secure devices with passwords and keep screens locked when not in use. This should keep other students or outsiders from using the device when it's out of sight of the owner.
- Students should be suggested to have their connected computers at school tracked electronically to secure them against device and data loss. For example, Prey can start sending evidence reports as soon as a device gets reported as missing on campus.
- Students have to agree to register any connected device they use at school before it ever logs into the network. Colleges can implement an automatic registration system that won't inconvenience users but will allow IT to network use if they need to.
- If the device does get stolen or lost, students have an obligation to notify the IT department immediately to prevent further access. IT can instantly wipe devices from registration as soon as they are reported as lost.
- Students have to commit to installing and maintaining security software on any devices used to access the college network. Obviously, device security software can help catch viruses or hijacking attempts, but it has to stay updated to function well.
Establish Acceptable Use Policies for College Networks
In addition to these steps, colleges might also add other restrictions to their policies. For instance, students should understand exactly what constitutes acceptable use, the limitations of the college's liability, and banned applications.
For instance, your university might allow students to use the college Wi-Fi to access entertainment or social networks. Obviously, students won't expect to use all of their computer time on their campus doing homework. On the other hand, colleges might ban certain kinds of online activities or even certain websites. Sadly, this won't prove as simple as banning illegal download or adult sites.
Even though assuming that sketchy websites pose the worst dangers from malware seems intuitively obvious, just avoiding those kind of sites won't foolproof your network.
The Department of Homeland Security uses a color-rating system to display their judgment of the relative dangers of various sites, and usually, it's the type of applications that run on the site and not the content that makes websites safe or dangerous.
These are some examples of the DHS security rating system:
- Red: Torrent sites rate the highest level of warning because they have no good reputation to defend. Nobody should visit an illegal download website without expecting that some other users may exploit it.
- Orange: Search engines and social site results for popular topics rate a strong caution. McCaffee found that almost 20 percent of the search results for Cameron Diaz screensavers were loaded with malicious downloads.
In any case, this should be a proactive process in which students are given tips about the kinds of sites and activities that carry the greatest risks. In many cases, avoiding these websites, and keeping security tools updated can greatly help to reduce the risks.
Educate Students About Keeping Their Connections Secure
Having internet connections and networks hijacked is another growing problem. For instance, the KRACK security vulnerability in the WPA2 protocol made news last year. Hackers could use this vulnerability with supposedly secure networks to intercept information or even inject malicious data.
Part of the BYOD strategy in universities should include educating users about cautions that must be taken when accessing public and foreign networks with their own devices.
For instance:
- Students should double check that they are logging into the right network, since an attacker may emulate networks with very similar names in order to steal credentials.
- Students should remain suspicious of any networks that don't have the lock icon to indicate that they are secured.
- Colleges should advise students to remain wary of public Wi-Fi they may encounter when they travel away from campus, and even encourage the use of a VPN when they do connect to these networks, for extra security.
It Comes Down to...
Cooperating with Students to Promote Safe Internet Usage
Universities need a great security infrastructure designed with BYOD in mind, but its crucial that students are informed properly to promote cooperation.This effort will require an education process, and a compromise stage in which students could be required to sign security compliance contracts.
In fact, teaching students about the importance of computer and internet security can help them gain a useful insight on how to keep their online lives safe at home as well.
Remember, this process must turn into an experience that's positive for both the school, and the students. A smart student can be your greatest defense.
Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.