3 tips to help your institution prioritize cybersecurity
It’s never been more important that higher education institutions put in the necessary work to ensure cybersecurity
Colleges and universities are taking a hard look at the past year and the many data challenges they’ve faced amidst the COVID-19 pandemic. From phishing campaigns to ransomware attacks, the increased numbers of employees and students working and studying from home has greatly increased security risks for institutions of all sizes.
The 2018 Education Cybersecurity Report shows that the U.S. education systems rank last amongst U.S. industries for cybersecurity, and with colleges and universities holding personally identifiable information (PII), and financial and health records for many of those affiliated with the institution, this should not be the case. Additionally, many universities offer email for life for its faculty and alumni, creating a large attack surface for bad actors.
Higher institutions will dedicate just 3.6 percent of their IT budgets to information security. Combining poor security, a large attack surface, treasure troves of data and no real investment to change makes universities and colleges prime candidates for a cyberattack.
Below are three simple, yet effective, initiatives colleges and universities can take to improve their cybersecurity posture.
1. Train faculty and students—not just now, but frequently. New threats and attack vectors are constantly being introduced into the wild and it’s imperative that students and faculty are aware of the various types of cyber threats. Cybersecurity training is a constant, and it should be performed regularly for faculty, students, employees and third parties who have access to university or college resources.
Training must not only be provided but training compliance must be enforced and prioritized as it is often the most effective defense. For students, this could be mean registration holds for each semester they are active until training is completed. Further, training should be part of the annual review process for employees or locking of accounts until compliance is achieved. Finally, third parties should have access revoked until training is successfully completed.
Oftentimes, cyberattacks result from human failure, meaning training can greatly help minimize cyber risk. The training program should include topics related to social engineering, as well as how to spot phishing/smishing/spear phishing attempts, the importance of securing home networks, and common-sense approaches to passwords and physical security of devices.
2. Invest in the future and your data. The likelihood of a breach is nearly 100 percent, and it is no longer a matter of “if” but a matter of “when” a breach will occur. There are some relatively simple tactics that can prevent the next breach. For example, multi-factor authentication is one option, and while it does not prevent all breaches and is not fool proof, it will stop 99.9 percent of automated attacks.
Traditional passwords are now becoming a thing of the past and are frequently the weakest link in the security chain. In fact, 61 percent of breaches involved the unauthorized use of valid credentials. With this in mind, passwordless authentication methods are a beneficial option to better protect the institution’s data.
A Zero Trust Security model, also known as perimeterless security, can also be adopted by colleges and universities to increase their cybersecurity program. This method suggests that no device should be trusted by default, but verified with each use. While it is important to note that Zero Trust is not solely a technology solution, it also requires process and procedure investments and is a journey that will inevitably evolve over time.
Once a breach has occurred, the institution must have a well thought-out and thoroughly tested response plan. You will likely find holes within the plan during your response process, which should be fixed during a detailed post-breach evaluation. As cyberattacks become more advanced, your plan should advance in parallel with ongoing updates and revisions over time.
3. Re-prioritize and re-organize. Only about 42 percent of higher education institutions have a Chief Information Security Officer (CISO) role, a miniscule number considering that 2020 marked a record year for cyberattacks against schools. It’s critical that colleges and universities see the benefits that a leader in data and security can have within an organization.
As the number and cadence of cyberattacks increase, preventing those threats should be prioritized and made the primary responsibility of a leader within the institution. This position should also have direct access to the president and their cabinet to ensure they have full support of and transparency with the decision-makers. A CISO is the key to setting information security policy and protecting against the next attack.
The future of institutions relies on cybersecurity
Improving the institution’s cyber posture is not an insurmountable task. There are important steps that must be taken in order to better inform and rely on staff and students in protecting institutional data, including annual training, investing and building an organization that treats cybersecurity with the importance that it deserves.
While it seems like a heavy lift, it’s never been more important that higher education institutions put in the necessary work to ensure cybersecurity. And although it’s an ongoing effort, it’s worth it in the end.