Skip to main content
Cybrary
Start
Higher ed cyber & AI readiness

Assess Your Utah Institution's
Cyber Readiness in 5 Minutes

A self-check for Utah higher-ed IT and security leaders in the wake of the Canvas breach. Spot weaknesses across staff, AI, MFA, and incident response — and get a custom training roadmap to fix them.

Take the 12-question assessment Get my training roadmap

What you'll receive

After submitting, Cybrary will send a recommended training roadmap organized by audience:

  • General staff and administrators

    Phishing, MFA, suspicious activity reporting, student-data handling, and AI basics.

  • High-risk administrative roles

    Financial aid, registrar, HR, payroll, procurement, advancement, research administration, and executive support.

  • Faculty-facing and academic operations

    LMS incident awareness, student communications, AI tool use, and academic continuity.

  • IT, help desk, security and leadership

    Phishing triage, account compromise, identity/SaaS/cloud logs, hands-on IR labs, and executive cyber/AI governance.

Schools across the country train with Cybrary

  • Harvard University
  • MIT
  • Stanford University
  • Yale University
  • Princeton University
  • UC Berkeley
  • University of Michigan
  • Cornell University
  • Duke University
  • NYU
  • Harvard University
  • MIT
  • Stanford University
  • Yale University
  • Princeton University
  • UC Berkeley
  • University of Michigan
  • Cornell University
  • Duke University
  • NYU

Why this matters for colleges and universities

Higher ed cyber risk is not just an IT problem. When a trusted platform like Canvas, Microsoft 365, Google Workspace, Banner, Workday, PeopleSoft, Slate, or a research system becomes part of an incident, the impact ripples through academic operations, faculty workflows, student services, financial aid, research, HR, legal, communications, and executive leadership.

FSA's Safeguards Rule and recent vendor incidents make clear what institutions need: a qualified individual, role-based training, vendor and identity readiness, AI-use guidance, and technical responders who can investigate when something goes wrong. This scorecard helps you see where your campus is ready and where training would reduce risk.

The Canvas incident made this real

Federal Student Aid noted the Canvas incident affected both K-12 schools and institutions of higher education, with unauthorized access to usernames, email addresses, course names, enrollment information, and messages. FSA warned that students, parents, and instructors may contact institutions, and recommended coordinating communications through each institution's incident response plan.

That is why this assessment looks beyond basic awareness. It covers staff and administrator readiness, AI use, identity sprawl, SaaS/vendor visibility, incident response across campus, FERPA and GLBA/Safeguards obligations, and the hands-on technical skills IT and security teams need when something actually happens.

Choose your assessment

Start with the 5-minute pulse. Switch to the full checklist if you want a detailed working session across IT, security, compliance, and campus leadership.

PulseAnswer the 12 questions to see your readiness profile
0 / 12

For each question, choose the answer that best describes your institution today.

1

Campus cyber ownership

Does your institution have a named cybersecurity owner or qualified information security leader, plus a backup, responsible for coordinating cybersecurity training, incident escalation, and vendor-response readiness?

Why this matters

Higher ed incidents often cross IT, academic affairs, student services, legal, compliance, research, finance, HR, and communications.

2

Incident coordination across campus

If a major platform such as Canvas, Microsoft 365, Google Workspace, Banner, Workday, PeopleSoft, Slate, or another critical vendor had an incident tomorrow, would IT, security, legal, communications, academic leadership, student services, and the help desk know who owns what?

Why this matters

A vendor incident still becomes a campus operational incident.

3

Tabletop practice

Has your institution run a tabletop exercise in the last 12 months involving an LMS/vendor incident, phishing campaign, account compromise, ransomware event, or student-data exposure scenario?

Why this matters

Written plans are helpful, but practice exposes unclear ownership, weak communications, and training gaps.

4

Staff and administrator cyber awareness

Do staff and administrators receive annual cybersecurity awareness training covering phishing, credential theft, MFA fatigue, suspicious links, incident reporting, and safe handling of student or institutional data?

Why this matters

The first person to notice an incident may be in advising, financial aid, the registrar's office, HR, athletics, advancement, or a department office — not IT.

5

High-risk administrative role training

Do higher-risk groups — financial aid, registrar, HR, payroll, procurement, advancement, athletics, research administration, executive assistants, and department administrators — receive role-specific cybersecurity training beyond basic awareness?

Why this matters

These roles handle sensitive workflows, money movement, student records, donor data, research administration, personnel data, and executive communications.

6

Student records, financial aid, and regulated data

Are staff trained on how cybersecurity incidents intersect with FERPA, financial-aid data, GLBA/Safeguards Rule obligations, HR data, donor data, health data, and research-related information?

Why this matters

Higher ed has a more complex regulatory environment than most K-12 districts. FSA expects a written information security program with a qualified individual, risk assessment, service-provider oversight, and incident response planning.

7

Reporting suspicious activity

Do staff and administrators know exactly where and how to report suspicious emails, login pages, vendor messages, unusual AI tools, suspected account compromise, or possible data exposure?

Why this matters

Fast reporting can be the difference between a contained account issue and a broader campus incident.

8

AI usage guidance

Does your institution have clear guidance for staff and administrators on approved AI tools and what student, employee, financial, research, or institutional data should not be entered into unapproved AI systems?

Why this matters

Shadow AI is becoming a data-handling and compliance issue, especially when staff use public AI tools for advising notes, student communications, HR workflows, research administration, or financial-aid support.

9

AI-enabled threats

Have staff and administrators been trained to recognize AI-enabled phishing, fake help-desk messages, synthetic voice or video impersonation, fraudulent vendor requests, and convincing AI-generated misinformation?

Why this matters

AI makes social engineering cheaper, faster, and more believable.

10

Identity and access readiness

Is MFA required and regularly reviewed for staff/admin accounts, privileged users, financial-aid systems, SIS/ERP, LMS, email, cloud platforms, VPN, research systems, and other high-risk applications?

Why this matters

Higher ed identity environments are messy: faculty, staff, adjuncts, students, alumni, contractors, researchers, service accounts, shared mailboxes, and departmental admins often create broad attack paths.

11

Technical investigation capability

Can your IT, help desk, or security team investigate likely account compromise by reviewing identity logs, email headers, suspicious links, SaaS/cloud logs, admin activity, endpoint alerts, and vendor notifications?

Why this matters

Awareness training reduces risk, but when an incident happens, technical teams still need hands-on skills to investigate and respond.

12

Role-based training plan

Do you have a current cybersecurity and AI-awareness training plan separated by audience — general staff, high-risk administrative roles, faculty-facing staff, IT/help desk, security teams, and executive leadership?

Why this matters

One generic training course will not prepare every campus role for the risks they actually face.

Top training priorities right now

Pick up to 3. 0/3 selected.

Answer the 12 questions above to see your readiness profile.

Get your institution's training roadmap

Submit your responses and Cybrary will send a recommended training roadmap tailored to your campus — covering general staff, high-risk administrative roles, faculty-facing teams, IT/help desk, security teams, and executive leadership.

We do not ask for student data, system details, or sensitive security information. This assessment only collects your business contact information and your high-level readiness responses.

Answer the 12 questions above to see your readiness profile.

By submitting, you agree that Cybrary may contact you about your assessment and training recommendations.

© 2026 Cybrary. Hands-on cybersecurity training.

Built for Utah college and university staff, IT, and security teams.