According to a May 2019 report from Moody’s Investors Service, cyberattacks on higher education institutions are on the rise. Colleges and universities have quite a bit of intellectual property, research, and confidential information on students, parents, finances, and medical records in their networks. College and universities that undertake substantial research or that have medical centers are at higher risk for cyberattacks and would suffer the greatest impact from an attack.
Many higher education institutions take a “set it and forget it” approach to security. They think about security just one time by setting up their security procedures and policies and then forgetting about it. Unfortunately, in today’s environment, cybersecurity cannot be taken lightly. Although institutions may not realize it, their data is quite attractive to hackers. Nation-state hackers are probing systems trying to access information to use for their own national interests or to be sold to generate revenue to fund clandestine activities for their domestic economy. Each year brings new cybersecurity threats and breaches. Hackers will eventually find and exploit a cybersecurity weakness if systems are not protected.
In its 2018 Education Cybersecurity Report, SecurityScorecard, a New York City-based IT security company found that the education industry is not taking many of the necessary steps to protect from cyber-vulnerabilities. The education industry was ranked the worst in cybersecurity out of 17 markets. The study revealed that education’s main areas of cybersecurity weaknesses are application security, endpoint security, patching cadence, and network security. While hackers have become more sophisticated, educational institutions have not kept up.
Here are three best practices that can be implemented today to reduce the risk of a breach.
The most significant security failure organizations face is not implementing updates or being patched up. No matter what systems you are running on your servers, devices, desktops, laptops, etc. they all issue regular security updates. These security updates must be applied on a routine and recurring schedule. Security updates cannot be left to chance or to be done when a security notice is received.
For proper protection, it is critical to schedule a routine programmatic cadence for updates to the operating system, applications, and endpoint security (antivirus/malware). Schedule the updates in off-hours helps ensure that it doesn’t impact daily operations.
Operating Systems – Security updates for your operating system should be installed weekly. Some organizations balk at weekly updates because it requires a system reboot, which involves a minute or two of downtime. This minor inconvenience is well worth the protection that it provides. To minimize disruptions, you can schedule updates during the overnight or on weekends.
Applications – Vendors regularly send new releases and enhancements for applications. These updates should be installed within 30 days of the release of the update. Even though updates may not be strictly for security, some are application fixes or enhancements, being negligent in updating your applications leaves your systems vulnerable to breach. Keeping applications up to date is a necessary process, and one that should be built into routine IT activities.
Antivirus/malware – Endpoint security, including running antivirus and anti-malware, should be part of the campus infrastructure. These patches should be automatically updated daily and can be run nightly during off-hours to give the highest amount of protection for every system on the campus. There has been a trend in colleges not keeping up with their antivirus systems, which leaves them at greater risk for infection. Schools that have been remiss in this effort have seen their whole campus infected. This has resulted in an interruption of their operations requiring several workdays to disinfect, clean up, and repair systems, which resulted in a loss of work time and productivity.
To stay protected, it is necessary to proactively monitor your network for any anomalies and to identify who is entering your network and when. This is required to make sure threats can be identified, and that traffic can be proactively stopped immediately while a threat assessment is made.
Proactive monitoring is conducted with advanced tools such as AIOps. Research and advisory firm Gartner coined the term, AIOps stands for Artificial Intelligence for IT Operations. AIOps provides end-to-end visibility into your IT operation and can quickly detect anomalies when they happen.
Too often organizations institute excessively complicated password rules. They require so many characters and different types of characters that people can’t remember them. Consequently, people write them down and leave them on their desk, or the back of a calendar, or on a desk pad allowing them literally exposed at their workstation which is the worst place to display it.
Another way people try to make it easy for themselves is by using variations of the word “password” or the numbers 1, 2, 3, etc. To gain access to systems, hackers will run approximately 100 password variations through their systems to see if someone is using a simple password or an easily deciphered password.
Instituting proper password management is critical to security. Password requirements should:
Administration user passwords are another area for concern. Only actual approved administrators should have administrative access. There should only be a limited number of logins with that level of authority. To ensure proper system protection default logins should be routinely disabled.
The U.S. Department of Education requires all schools have plans in place to monitor their systems to identify threats and to respond and mitigate identified threats. The Department of Education also mandates that they are notified immediately of all suspected breaches. If these standards are not met, schools lacking appropriate data security safeguards are at risk of losing Title IV funding - financial aid - which is critical to recruiting and retaining students. Additionally, Title IV recipients may now be subject to compliance audits regarding their data security programs.
The risks of cyber threats are high and must be taken seriously. The cost of a data breach can “destroy” your reputation. But it takes resources and best practices to prevent it.
You are not alone. Consider managed services where there is specialized cybersecurity talent and shared best practices. It is more flexible and cost-effective. And since they support multiple enterprises including, higher educational institutions, they are on top of the latest threats.
July 23, 2021
July 23, 2021
When the higher education industry returns to “normal” after the pandemic, institutions will likely still feel its financial repercussion...