The U.S. education system ranks last for cybersecurity among U.S. industries, particularly in areas of application security, network security and patching cadence. This is bad news for universities, good news for cyber criminals.
Higher education institutions are prime targets for a number of reasons, according to security ratings company SecurityScorecard. Security investments are often put off, especially during the pandemic, when many students are learning remotely even if they live on campus, universities want to make it easy for students and professors to access a wide variety applications and data. Student awareness of cyber safety can be spotty, and students may become easy targets.
What’s more, college students typically come to campus with their own laptops, desktops, smart phones and tablets, providing a huge volume and assortment of devices for criminals to attack. And finally, it’s often easy for nefarious strangers to walk through a large campus environment unnoticed, entering research labs and planting USBs.
Universities are big targets and need to go big to secure their networks against unauthorized access and protect from cyberattacks. When it comes to protection, like the old saying goes, an ounce of prevention is worth a pound of cure. Two easy and cost-effective ways to prevent issues include providing basic training for all network users, even if that includes only distributing a handbook to staff and students on good cyber habits. Also, institutions can First, institutions can implement an easy-to-use multi-factor authentication (MFA) tool that users need to use when logging onto a network.
A recent National Law Review article details six steps colleges and universities can take to protect the confidential information of students, staff and the university itself and contain cybersecurity risks.
1. Perform an information assessment. Identify the data your institution holds, how you use the data, how you protect the data and who has access. Universities typically an overwhelming volume of valuable and sensitive data in both electronic and paper format, including personal, financial and medical data on current, former and prospective students, staff and faculty. Once you inventory the types of data your organization has and the purpose for holding the data, you can then identify departments and resources that deal with data privacy issues and create a data protection plan that meets your institution’s unique needs.
2. Assess assets. Perform routine assessments of network devices, systems and software platforms, monitor for suspicious activity and identify solutions that minimize risk. Getting a solid understanding of your network and all the devices on it can enable you to conduct a risk assessment to identify cyber threats and vulnerabilities within your environment, then tailor solutions like firewalls, encryption and authentication solutions to fit your needs.
3. Review vendor relationships. Higher education institutions typically share information with service providers for a number of reasons, including processing applications, providing financial aid or to host websites and student portals, for instance. While most services providers are on the up and up, some are not. Do your due diligence and vet vendors before granting access to personal information. Insist that service providers sign a written contract to protect confidential student data.
4. Revisit insurance policies. U.S. institutions can take out cyber insurance policies to cover some of the risks that come with data breaches. If you are considering such a policy, pay special attention to exceptions that may not cover all cyber risk. If you have a policy, make sure it updates to cover evolving risks.
5. Consider hiring a CISO. Chief information security officers can contribute expertise and skills on information security issues and be in charge of reviewing and commenting on internal policies and procedures, assessing data management policies and practices and researching and recommending technologies for mitigating security risks. You can hire a part-time CISO or go as far as hiring a full-time CISO.
6. Prepare a cybersecurity incident response plan. There’s so much at stake in the event of a cyberattack. Data security breaches can shut down your institution, cost thousands of dollars in ransom fees and cause unmeasurable reputational damage. Develop a plan that alerts the right person in your institution to contact in the event of a breach, figure out how to remediate systems to stop the incident and decide more generally how you’ll respond to a cyberattack. Create a plan proactively that’s tailored to your specific needs and address preparation, detection and analysis, containment, eradication and recovery.
Click here for Part 1: 4 Reasons Cyber Criminals Are Targeting Higher Education