On Nov. 13, the Center for Information Technology released a short online training course on safeguarding against cybersecurity threats to students and faculty. The course, which consists of short videos and tests, was provided by Wizer, a company that specializes in cybersecurity training and remains open to students and faculty until Dec. 13.
Chief Information Officer at CIT Marcel Mutsindashyaka said that cybersecurity has been a major focus in the CIT since he arrived last November. Mutsindashyaka said educational institutions are targets for cyberattacks because their systems handle students’ social security and bank account numbers for tuition payments. Cyber criminals also target research information at colleges and universities and enact ransomware attacks that disable systems until a payment is made. Mutsindashyaka cited that 79 percent of institutions of higher education were affected by ransomware attacks in the past year.
Oberlin has faced cybersecurity attacks in the past. In 2019, the Review reported that cyberattackers were able to breach the admissions database. This Thursday, CIT sent an email to students and faculty warning of an increase in phishing emails. Phishing emails are designed to trick recipients into divulging sensitive information or installing malware.
“This highlights the importance of remaining vigilant and applying the cybersecurity best practices we recently covered in our recent cybersecurity awareness training,” read the email.
CIT has adopted a threefold approach to address cybersecurity threats: updating hardware and technological infrastructure, crafting administrative policies that support good cybersecurity practices like strong passwords, and educating students and faculty members. Mutsindashyaka stressed the importance of education, saying that the most robust cybersecurity hardware cannot protect against cybersecurity threats if users are uninformed, pointing out that an estimated 95 percent of cyberattacks on educational institutions were preventable and due to bad practices. He said that the Wizer training was provided as part of the school’s cybersecurity insurance.
“To prevent cybersecurity threats and safely navigate the digital campus and workplace, the Community Cybersecurity Awareness Training at Oberlin is essential,” Mutsindashyaka wrote in an email to the Review. “It empowers participants to identify and prevent potential cyber risks. Therefore, I urge all users to participate in this 20-minute recurring cybersecurity awareness training and thank hundreds of members who have already completed their assignments this fall.”
Associate Professor of Computer Science Stephen Checkoway, whose President’s Lecture earlier this year focused on cybersecurity, agreed that users of technology are partially responsible for keeping systems secure.
“Users of a computer system should only be responsible for ensuring that their account credentials (e.g., a password) are kept private to keep others from accessing their account,” Checkoway wrote in an email to the Review. “The security of the rest of the computer system should be the responsibility of the system administrators. Unfortunately, users can be tricked into revealing their account credentials through techniques such as phishing. … Hardware security keys for multi-factor authentication — such as Yubico’s security keys — prevents this sort of phishing from being successful. Although Oberlin’s systems support hardware security keys, the unfortunate reality is that very few people use them. This pushes the burden of not getting tricked to the users themselves.”
Mutsindashyaka said that this month’s cybersecurity training is only part of a larger program that began last July. He said that another aspect of the program is the replacement of ObieWifi with the secure network, eduroam. Mutsindashyaka said he encourages Oberlin students to switch to eduroam, and that CIT plans to remove ObieWiFi in January.