Cybercrime is a multi-billion dollar global industry and it grows exponentially each year.
The FBI has identified six different classes of cyber threats: hactivism, crime, insider, espionage, terrorism and warfare — all of which have multiple attack vectors that make up the cyber “threat landscape.” For businesses — including colleges — that means defending against all potential threats and addressing vulnerabilities every day, on multiple fronts, to keep data safe.
It also means a heavy institutional investment of time and money.
“As you have to get more sophisticated to protect the college, it gets more and more expensive, and that expense eats into your IT budget. It’s not just about defending against attacks; it’s the way it erodes resources,” says Michael Northover, chief information officer at Portland Community College (PCC) in Oregon.
So how can colleges best protect themselves? Northover has some advice.
Make a public commitment that cybersecurity is an institutional strategic priority. Cybersecurity should be looked at as the digital element of public safety, Northover says, as people’s livelihoods are often tied up in their identities. A commitment to cybersecurity needs to come from the top. As CIO, Northover worked to help PCC’s president and board understand the importance of digitally protecting students, faculty and staff.
Getting that buy-in can be difficult — especially when the worst hasn’t happened yet.
“Cybersecurity is one day you’re happy, and the next day you’re not. You’re always investing for the worst case scenario,” Northover says.
When cybersecurity is understood and made an institutional priority, it usually smooths the way for funding discussions during budget planning.
Understand what regulations govern the institution. Does the college take credit card payments? Does it keep medical records? Does it receive federal funds? Those actions all have regulations tied to them which have cybersecurity requirements about what data needs to be protected. Those regulations also drive fines, penalties and liability if a data breach does occur.
Ensure the college has adequate cybersecurity insurance coverage. Insurance against cybersecurity incidents not only protects institutions in case the worst happens, but most cyber insurers also provide legal and technical resources to help in the event of an incident.
Based on how the college is regulated, understand what data are being kept and what needs to be protected. For example, “if you’ve determined you’ve got medical records, therefore you’re regulated by HIPAA (Health Insurance Portability and Accountability Act), what are the pieces of data HIPAA says you have to protect?” Northover says. This is a big task, as data “can be all over the place,” he adds, especially at large institutions.
Build a cybersecurity roadmap. Once the vulnerabilities of the institution and the assets that need protection are identified, an in-depth defense plan can be built. Part of the plan should include staff training about cyber awareness.
“For all the millions of dollars we spend on technology, for all that investment and skill and technological resources, one of the biggest challenges is educating people to not make simple mistakes that let the bad guys in,” Northover says. “It’s like many things in life: people don’t take it seriously until it happens to them.”
PCC also is training tomorrow’s cyber warriors on the Sylvania Campus at its new National Center of Academic Excellence in Cybersecurity Fundamentals, approved by the National Security Agency and the Department of Homeland Security.
“We’re proud to host this Center of Excellence because it helps build the pool of skilled workers needed to protect the national information infrastructure. Importantly, these are high-demand, family-wage jobs, so the center also supports our local and regional economy,” says Lisa Avery, campus president of PCC Sylvania, and a member of the American Association of Community Colleges board of directors.