A CISO’s View of Cyber Threats Facing Universities
National Security Awareness Month is usually a time to highlight safety tips and new defenses. This year, the University of Arizona’s Chief Information Security Officer (CISO), Tim Schwab, took a broader view – what’s really happening across higher education, and why universities are increasingly targeted by cybercriminals.
“Universities are unique,” Schwab said. “Open networks, thousands of connected devices, and a huge mix of users create a very different risk profile than most companies.”
On any given day, a campus network can host tens of thousands of devices like laptops, phones, tablets, classroom tech, and even research equipment. Some are well maintained while others are overdue for updates. Combine that with sensitive student, employee, and research data, and many universities’ limited budgets for security, and Schwab says you get “a wide-open playing field for attackers.”
Students are often the first targets. As soon as they enroll, many receive fake job offers or text messages that look real but lead to scams. “When you’re moving a hundred miles an hour – new classes, new routines – it’s hard to slow down,” Schwab said. “But that pause is everything. Stop and think before you click.”
While the tools attackers use continue to evolve, Schwab says the main threats haven’t changed. “Ransomware is still the number one concern,” he said, referring to attacks that lock systems until money is paid. “But scams that trick people into giving up credentials or personal information through fake emails, texts, or messages will continue forever because they’re the easiest way in.”
Those tricks, known as phishing and social engineering, rely on human error rather than technical flaws. A phishing attack might look like an email from a trusted source asking you to click a link or log in. Social engineering, Schwab explained, is the broader term for manipulating someone into giving away information or access. “It’s not just about technology,” he said. “It’s about people.”
Unsecured or poorly configured devices, especially research equipment or “smart” technology, make things worse by expanding what security professionals call the “attack surface,” or the number of possible entry points for hackers.
One force accelerating both sides of the cybersecurity race is artificial intelligence. “AI is like fire,” Schwab said. “It can heat your home or burn it down.”
Hackers now use Artificial Intelligence (AI) to write flawless fake emails, clone voices, and create convincing deepfakes. At the same time, security teams are using AI to analyze billions of data points, detect suspicious activity faster, and respond before damage is done. “The threats aren’t entirely new,” Schwab said. “They’re just getting more sophisticated.”
Looking ahead, Schwab doesn’t expect new types of attacks, but he also sees threats becoming faster and harder to detect. What will matter most, he said, are the basics done consistently. “Keep your devices updated. Use strong passwords. Be cautious with what you click,” he said. “The technology will evolve, but so will the fundamentals.”
For university leaders, his advice is to stay visibly committed to cybersecurity. That means funding up-to-date tools, supporting security teams, and reinforcing that everyone plays a role. “We want to protect the university without slowing it down,” Schwab said. “Our goal is security that enables teaching, research, and community impact – safely.”
And for everyone else on campus – students, faculty, and staff – Schwab’s message is just as straightforward: take small actions that add up. Turning on multi-factor authentication might take a few extra seconds, and awareness training might take an hour, but those layers matter. “They’re like locks, alarms, and cameras at home,” he said. “Think before you click and help us help you.”