The education sector is one of the most targeted by cybercriminals. According to the report Cybersecurity in Portugal, released in July 2024 by the National Cybersecurity Center, the Government Area of Education, Science, Technology and Higher Education, in 2023, was the 5th with the highest number of incidents, a total of 150.
Institutions of this type deal with large volumes of sensitive information, from the personal data of students and staff to scientific research. In order to safeguard it, the effort must be made by everyone who has dealings with the entities, namely their employees, who are extremely important in this process.
According to Carlos Friaças, manager of RCTS CERTthe digital service of the Foundation for Science and Technology, developed by FCCN "Employees should always have a preventive attitude and, if in doubt about carrying out certain actions, they should ask other people if it makes sense to do so, and assess the risk to the organization."
However, do employees know how to defend their safety? What preventive attitudes should they have? To answer these questions, the security service team at FCCN has five essential tips.
#1 Don't open files from unknown sources
The person who sent you an email may seem familiar, but always check that it's safe to download an attachment or click on a link. Often, cybercriminals use emails that appear to come from reliable sources, even pretending to be from the university itself, but which, on closer inspection, are neither legitimate nor actually from that source.
When you download a file or access a link, you may be downloading malware, viruses or other invasive software designed to damage your computer or try to access personal information. These strategies usually constitute two types of attack: phishing and ransomware.
#2 Respect warnings about potentially malicious websites
A study published by the Google Chrome browser team concluded that only one in four users respect Security Sockets Layer certificate warnings. Taking your browser 's warnings into account is, however, a basic cybersecurity practice to avoid unpleasant consequences for the institution where you work and for yourself.
Visiting certain websites when they display warning notices by choosing the "proceed to unsafe website " option can result in information theft, for example. When faced with this reality, back out. If the website is legitimate, a valid certificate will be installed again later.
#3 Make copies of content that is not regularly backed up
The immediacy of technology can create the illusion that all information is forever available online. However, certain attacks can make this no longer a reality.
For this reason, one of the most basic cybersecurity practices is to create copies of the most sensitive information, which in the case of educational institutions can include student and teacher data, salaries, payments and even confidential research. This should therefore be replicated in a secure location that is separate from the original device.
#4 Never share passwords
Password sharing has been identified as one of the main internal security risks in organizations: the more people who know a password, the more likely it is that a security breach will occur.
Multi-factor authentication systems are an extra security barrier, as is the use of a password manager that makes it easy to use strong and different passwords for each of the same person's accounts.
It is also important that the password you use at your institution is not applied to any other area of your life, and that you do not leave it registered anywhere, whether physical or digital, no matter how harmless it may seem: your workplace is no exception.
#5 Use Secure Networks
Avoid using public Wi-Fi networks to access sensitive information. Whenever possible, use Eduroam, your institution's secure network.
When working remotely, use a virtual private network (VPN) to connect securely and encrypted to the resources you need to access.