University students in 2021 have a worldview of cybersecurity that has been shaped by the pandemic and forged by immersion in technology from cradle to college.
Smarter MSP recently caught up with Bilal Shebaro, an associate professor in the Department of Computer Sciences at St. Edward’s University in Austin, Texas. Shebaro shares insights on how teaching robust cybersecurity strategies to students on college campuses can prepare them for the corporate world.
Tech-savvy students
Shebaro advises that the generations are “speeding up.” That old rule of thumb of a generation of students being lumped into a 10 year or more period (think Baby Boomers or Generation X) doesn’t apply anymore.
“Every 4 or 5 years, students are coming in with a different mentality and a different skill set; they experience things very differently than the previous generation,” Shebaro says. This year’s crop of freshmen, for instance, will come to campus this fall fully familiar with online learning. And with this familiarity comes an equal depth of cybersecurity knowledge.
“Students are getting exposed to these things earlier and earlier, so their minds are opening to threats and the necessity to bring cyber threats under control,” Shebaro points out. Shebaro also says students who enroll in cybersecurity classes today are more likely to have had direct experience with an attack or hack in the past, which has generated greater interest in the field.
“Once they realize how relevant cybersecurity knowledge is and how they use the internet every day on smartphones, tablets, or wearables, they want to use these devices in a better, safer and more protected way,” Shebaro states.
Today’s students, Shebaro continues, have a front-row seat to what is essentially a “cat and mouse” game.
“Systems get more secure, but hacking techniques get more sophisticated,” Shebaro advises, adding that new technologies are continuously emerging and how much they have been tested for robust cybersecurity often remains to be seen.
From classroom to boardroom
What is taught in today’s classrooms about cybersecurity can have implications at work – something CISOs, MSPs, and all security stakeholders should be aware of. Employees at companies should be trained in cybersecurity in the same way students are schooled in these technologies.
“I teach them theory but also practice…when you are teaching security from a textbook, but you do not have them experience it, it is not very useful,” Shebaro advises. So he goes about creating opportunities for practice which involve sample attacks and sample defenses, to see how students can improve.
“You have to have that practice,” Shebaro says, adding that security stakeholders can create mock systems for employers to learn the ropes of cybersecurity.
“What we like is to close the gap between what students learn in class and what they face in the real world,” Shebaro conveys.
Shebaro advises that collaborating and communicating more on cybersecurity issues is something that could foster better comprehensive cybersecurity for both businesses and and universities. People from the industry can come to universities, provide resources, deliver guest lectures to students, and assist instructors.
As a result, when students move on into their careers, the student or graduate is trained and well-versed in cybersecurity. Creating a solid internship program is another great way to foster two-way communication between business and academia.
Today’s biggest cybersecurity issues
Shebaro says a lot of today’s biggest breaches are centered-around social-engineered phishing. The same techniques that colleges use to educate students about cybersecurity can be used by MSPs to inform workers. Shebaro also notes that you have to inform people and give them examples of how it can happen to them. It’s not just an “older, non-tech savvy” person who can fall prey to socially engineered phishing.
“Pretty much everybody can fall victim,” Shebaro advises, adding that he thinks cybersecurity conversations must begin at the earliest levels: elementary and middle and high schools.
The pandemic, Shebaro says, has even society’s youngest members clutching Chromebooks, so the conversations need to begin early. He notes that there are plenty of YouTube videos that show how a successful socially-engineered phishing attempt can succeed, and these can be good teaching tools for anyone of any age.
“Phishing happens over phone, email, or text; it’s all about manipulating human psychology,” Shebaro points out, adding that school faculty have been frequent targets with emails purporting to be from “the dean” arriving in inboxes.
“And, of course, that’s my boss, so I won’t ignore that,” Shebaro states. “And then the dean gets an email from the Provost.” Of course, none of these are legitimate, but if just one faculty falls for it, the hackers gain a foothold. Attacks will continue to use social engineering, and the number of targets continues to increase.
“They want to reach as many people as possible,” Shebaro says, and the proliferation of wearables: smartwatches, smart glasses, smart rings, and the like create even more vectors, both at work and at home. Attacks will continue to grow as an increasing amount of information and data is moved to the cloud. AI will also become more prevalent, but perhaps one of the biggest changes is just how hackers have made attacks that were once easy to spot into stealth instruments.
“I used to tell my students when your computer has a virus you will notice, it is slow, acting up, not doing well…nowadays you would not know, (hackers) want your machine to stay functioning smoothly so you won’t notice,” Shebaro adds. That’s just one of many changes to the rapidly evolving world of cybersecurity. But by incorporating the teaching techniques found on college campuses, MSPs can stay a step ahead of cybersecurity threats.
Photo: Matej Kastelic / Shutterstock