Managing Cybersecurity in Higher Education
Ever-evolving cybersecurity attacks constantly threaten higher education institutions. Last year, the education sector moved from third to second—tied with business—in the number of breaches by industry, with health care in the No. 1 spot, according to Symantec’s 2016 Internet Security Threat Report. The EDUCAUSE Center for Analysis and Research (ECAR) found 562 reported data breaches at 324 higher education institutions between 2005 and 2014. Those breaches represent about 15.5 million records.
Breaches and their aftermath are costly. The Ponemon Institute, which conducts cybersecurity research, reported that each lost or stolen record cost educational institutions an average of $246 last year. The price tag includes notification of affected individuals, investigation, remediation, credit monitoring, and legal expenses—not to mention the intangible cost of harm to reputation.
Higher education institutions possess massive amounts of data, including personal information about students, faculty, staff, and donors, making them tempting targets for hackers and other digital criminals. The cyberattack risk increases with the emphasis on openness and collegiality that colleges and universities cultivate, challenging them to develop and enforce methods to protect vital data.
“The biggest challenge facing educational institutions is applying security in a more open environment” in which, for example, users may connect personal devices, said Keith K. Hartranft, chief information security officer at 7,000-student Lehigh University in Bethlehem, Pa.
Hartranft uses the acronym OFF (open, flat, and fast), to describe the higher education cyber environment. Open means “we want to collaborate and share and be easily accessible, and that often is at odds with security and data protection,” he said. For example, users might not have up-to-date operating systems or adequate security—or knowledge—to protect their computers from malware, ransomware, phishing scams, and other cyberattacks. Combine that with the “flat” configuration of many higher ed networks in which there is little separation or segmentation of systems and data, increasing vulnerability. On the other hand, “Segmentation means greater complexity, which also often means higher skilled network professionals and more capable components,” Hartranft said. Then there is fast, the constant need for larger internet bandwidth connections for data exchange. “This can make much of the equipment used to monitor and/or defend a network quite expensive,” which strains budgets.
Security Systems
Higher education institutions are combating these challenges with technical controls, usage policies, and community education efforts. Those technical controls include:
- Inventories that keep track of network hardware and devices
- Access control and data encryption protocols
- Regular scans to detect vulnerabilities
- Malware defense mechanisms
- Network firewalls
Monitoring those systems has brought closer attention to the role of the cybersecurity officer. Mark Wilson joined the University of South Alabama (USA) in Mobile as information security director last year, a new position. “Before, a lot of people had pieces of cybersecurity. My job is to pull all the parties together and move them in one direction.” USA also has a cyber-risk team headed by the risk management department that includes personnel from the information technology, internal audits, human resources, public safety, provost, and finance offices.
Hartranft agrees with that approach. “Initially at Lehigh, and I believe at many institutions, there are pockets of good security practitioners within differing groups. An initial task of anyone who assumes management responsibility for information security is identifying those practices and leveraging them across the organization, while formulating strategies to address any remaining residual risk gaps with the organization’s risk tolerance,” he said.
USA is updating its incident response plan to address ongoing challenges, Wilson said. Social engineering attacks, including email malware that encrypts files, are a prime worry for cybersecurity administrators. He is also focused on user education, compliance around credit card and Family Education Rights and Privacy Act (FERPA) regulations, and building a security framework to protect records and research data.
At Lehigh, administrative policies include data classification to guide how data custodians and users store, transmit, and process data. Another Lehigh policy and guide covers the use and purchases of cloud service. “This (policy), along with third-party services security and risk review, may be the greatest need or fastest-rising need in many organizations,” Hartranft said.
Lehigh has also adopted acceptable use policies spelling out what users can and can’t do when using network and computing resources. For example, they can’t run or install programs that might infect a file or computer system with a virus or malware. Other violations include failing to report security loopholes and impersonating someone to access a file or system.
In addition to Hartranft’s office, Lehigh has expanded information security responsibility to teams in systems administration, networking, computing consultants, support, and users. All are involved in training, response, and security deployment efforts with goals of communication and transparency. “A security group needs to be in high contact and highly visible with their community of users in educating and protecting user online identities,” Hartranft said.
The Human Factor
Facing cybersecurity challenges involves not only hardware and software, but also information security staff and programs designed to educate users and protect sensitive data and networks on and off campus. At Lehigh, “the focus remains on proactive sensitive data reduction efforts and even greater threat intelligence collaboration and utilization,” Hartranft said.
For Wilson and USA, securing personal identifiable information (PII) is a priority. PII includes Social Security and credit card numbers as well as student identification numbers, grades, medical records, and other sensitive information. “With a university system that includes 16,000 students, 5,000 employees, and a hospital—you can imagine the amount of files we have to deal with,” Wilson said. “It’s an area of risk because PII can be stored in a lot of area servers and employee personal work systems.”
He is addressing that challenge by strengthening what he calls the weak link—the human factor. That initiative involves educating students, faculty, and staff to recognize the social engineering methods malicious actors use to gain access to PII. Those methods focus on human interaction, often fooling people into thinking they’re dealing with a trusted colleague or site. They result in broken security procedures and policies and compromised or exposed data.
Phishing is one example, as is its more sophisticated relative—spear-phishing. Higher education network users are frequent targets of this well-researched digital scam. “The malicious actors will scope the college,” Wilson said. “They know who the CIO is. They know who the vice president of academic affairs is, who the vice president of finance is. They acquire a lot of information through data-mining on webpages and then they craft an email to the executive assistant for the vice president of finance that says, ‘Hey, Sarah, this is Bob. I need this financial information and you need to pay [this entity] because they provided this service for us.”
Outreach to the Campus and Beyond
Some student populations can be more vulnerable to cyberattackers, Hartranft said. For example, some international students may have never seen a phishing email—a scam that is more common and more sophisticated in the U.S.—so Lehigh teaches students what to watch for. His office also works with athletic directors, coaches, and athletes involved in its Division I teams, a population that cyberattackers often prey on because of their visibility. A recent outreach effort provided tips on protecting their online identities and reporting cyberstalking and harassment. “Many of our athletes have a lot of information in their [online] bios. We do training, including advising them not to use [that] information in their security answers.”
Lehigh and USA reach the wider campus community with posters and digital communications and provide services such as anti-virus software. Like Lehigh, many colleges and universities sponsor education projects tied to National Cyber Security Awareness Month each October and provide cybereducation sessions for first-year students.
Both Lehigh and USA use SANS Institute training to keep staff and faculty informed and updated on cybersecurity and potential threats. SANS’ Securing the Human program is a self-paced education series that provides advice on securing information and systems, including requirements around FERPA and other compliance issues, mobile device security, and how to recognize phishing and social engineering tricks. SANS and other types of training remind employees that cybersecurity is everyone’s job,” Wilson said.
Preventing Breaches
Neither USA nor Lehigh have experienced any major breaches. Regular searches, vulnerability scans, and system updates help detect suspicious activity and mitigate threats.
“We also continually monitor and [respond] if or when we see a Lehigh account itself suspiciously accessed. We inventory our sensitive data on devices and have had devices lost or stolen, like many organizations, but having deployed full disk encryption and knowing what data was stored on those devices, we have avoided sensitive data releases,” Hartranft said.
“A sound and thorough security program is focused on maturing to more proactive and predictive processes. Devices will be lost or stolen. Attackers will compromise accounts and get into your networks,” he said. The key is how quickly you identify this behavior and respond effectively.
By Donna Davis, a freelance business and education writer
More Information
Types of Data Breaches
Photos used courtesy of Lehigh University and the University of South Alabama