Supporting cybersecurity literacy for workforce-ready graduates
Employers need a cybersecurity-literate workforce, and higher education could play a valuable role in filling the gap
Cybersecurity’s profile in higher education has grown in recent years, with numerous universities offering dedicated courses and several now recognised as Academic Centres of Excellence in Cyber Security Education. However, much of this work targets students specifically studying the topic and does not address the need for those across all disciplines to be cybersecurity-literate. The result is that many students enter university with limited cybersecurity knowledge and then graduate in much the same state.
Alternatives to this approach include embedding cybersecurity in university curricula more broadly and running awareness campaigns that make clear the distinction between online safety and cybersecurity.
- Cybersecurity in the HE sector – getting the basics right
- Secure and transparent use of student data
- Cybersecurity in online learning
Digital literacy is not enough
Universities often take a stance on digital literacy and support students in developing the capabilities to use technology in general. However, attention towards cybersecurity (a key underpinning of using the technology safely) is often lacking. Looking at Jisc’s digital capability framework as an example, cybersecurity gets a mention, but you could easily miss it.
Seeking a cybersecurity-literate workforce
Universities can enable the future workforce to be cybersecurity-literate. Successive releases of the UK’s Cyber Security Breaches Survey have shown that organisations don’t address awareness to a significant or even sufficient extent. For example, the latest findings suggest that in the past year only 17 per cent of UK business have provided cybersecurity training or awareness-raising sessions for staff who are not directly involved in cybersecurity. Awareness and training consequently end up ill-served compared with most other aspects of cybersecurity, and certainly get less attention than technical measures. And yet we’re continually told that people are the “weakest link” in cybersecurity. Is it any wonder if we don’t support them and they are left to fend for themselves?
Getting the message across
Those heading towards the workplace need to get their awareness from somewhere, and universities are well placed to take a role in providing this knowledge. Although it would be nice to imagine that incoming students are already up to speed, cybersecurity isn’t necessarily on their radar or properly understood. Schools have (quite rightfully) established a strong message around e-safety issues such as cyberbullying, data sharing and grooming, but cybersecurity aspects haven’t come through as clearly. There is also a risk of the issues being conflated, such that students consider they know about cybersecurity because they think it’s the same as online safety.
By covering the foundational cybersecurity knowledge and behaviours, universities would reduce the need for organisations to address basic awareness and hygiene aspects. This would also make the graduates themselves more workplace-ready.
What does cybersecurity literacy look like?
As a baseline, everyone should know the fundamentals promoted by the National Cyber Security Centre’s Cyber Aware campaign. This covers a series of important measures, which readers may also wish to check against their own knowledge and practices. These are:
- protecting your email accounts with a strong password (an email account can contain sensitive information, and often represents a “hub” account to which password reset messages for other accounts will be sent)
- keeping devices updated and turning on automatic updates
- enabling two-factor authentication on important accounts
- enabling security features on devices (such as authentication, auto-lock and any “find my device” features)
- using antivirus and firewall protection where available
- securing smart/connected devices (ensuring that they are not overlooked alongside our traditional computing devices)
- ensuring downloads are from trusted/official sources
- backing up data and enabling automated backups.
Shaping and sharing the message
Unfortunately, simply directing students towards the guidance and relying on them to read it is unlikely to get very far. Many won’t look anyway, and those who do may have questions about how to put the advice into practice. The NCSC site has “how to” links for some points but being told is often no substitute for being shown.
So, another opportunity for universities to contribute is by promoting the advice to students more proactively, providing the chance to explain it more fully, offering practical guidance to help people apply it on their own devices, and framing the messages so that they speak to the student audience, highlighting the relevance to their university life and beyond.
Exactly how to do it depends on the appetite, capacity and commitment of the university. We can think in terms of a layered approach, depending upon how much support the university is willing and able to provide. A baseline would be an awareness campaign, aligned with (or even directly promoting) a wider initiative such as Cyber Aware. Going further, this could be supplemented by internal roadshows or pop-up events, or more structured opt-in skills training that focuses on ensuring that students can do what Cyber Aware is suggesting.
But arguably the most valuable and impactful approach would somehow integrate cybersecurity skills training by default within curricula. In this way they are sure to feature somewhere within the student experience, and we boost the chances of shaping workforce-ready, cybersecurity-literate graduates.
Steven Furnell is professor of cybersecurity at the University of Nottingham.
If you would like advice and insight from academics and university staff delivered direct to your inbox each week, sign up for the Campus newsletter.