To thwart cyber threats, colleges need to partner with other institutions and work better internally among their departments, according to a panel of cyber experts in the higher education field.
Cyber criminals are working in organized groups and recruiting talent, and so should colleges and universities in their attempts to deflect those potential breaches, noted Brian Kelly, director of the cybersecurity program at EDUCAUSE.
“Cybersecurity is a team sport,” he said during a webinar last week on cyber-ready campuses, held by the National Student Clearinghouse (NSC). “We need to be having those conversations with each other and on our campuses.”
Internally, collaboration must include not only administration and IT, but also faculty and staff who often are the first to spot something unusual, said Joseph Potchanant, director of member services and support at the Research and Education Networks Information Sharing and Analysis Center.
He also stressed that institutions must constantly remind employees about their responsibility in keeping their colleges’ systems safe. It only takes one click on a link to allow a criminal into a system, which can affect a slew of people, from employees to students and more, he said.
Ask hard questions
John Ramsey, chief information security officer (CISO) at the National Student Clearinghouse. (NSC), added that enrollment managers, registrars and financial aid officers should be especially sensitive about who has access to their data and how it is protected. If working with a third-party cybersecurity vendor, ask the hard questions and don’t assume anything.
“Security really is a common-sense approach at the end of the day. If you hear an answer that doesn’t make sense, there’s probably an underlying issue,” he said. “Don’t be afraid to peel that onion.”
Colleges also should have plans for various incident scenarios, such as an internal breach or if a breach occurs because of a third-party servicer, said Ramsey, who previously was CISO for the U.S. House of Representatives. He reiterated the importance of including college staff and faculty from various departments in developing these plans.
Ask them: “If our data was to be breached, where would it happen?” Ramsey said. The answers may be surprising, he added. For example, the college may assume only five people or so may have access to certain sensitive data, when in fact it could be double that, and some of those people may not have a reason to have access to the information.
If there was a silver lining in the pandemic, it’s that the move to online learning, registration and more forced more conversations about technology and cyber security, Kelly said. For instance, more institutions were discussing where devices such Alexa and Google assistance pose a risk of collecting data if employees discussed student information over the phone or during a Zoom meeting while they worked from home.
“You want those conversations ongoing and not only when a problem arises,” Kelly said.
Keep testing and improving
How does a company like NSC protect its volumes of data? Ramsey said building strategic alliances to deter risk is part of the strategy. NCS partners with Microsoft, IBM, FireEye, U.S. Department of Homeland Security and more.
“It’s not NSC fighting the fight,” he said. “It’s really an alliance of strength and knowledge.”
Also, colleges must remember that threats evolve and change. “There is no such thing as perfect security,” Ramsey said.
That’s why it’s important to continually assess and improve security. NSC has regular phishing campaigns to see if employees are warding off those attempts, as well as ransomware drills every few weeks and tabletop exercises to see how the center would respond to an incident. The company also has an independent assessment of its measures.
A successful cybersecurity plan results from changing the culture.
“It’s not a security requirement or a security mandate,” Ramsey said. “It’s about everybody living and breathing security as a second nature.”
Part of developing a culture includes college leaders holding regular meetings with stakeholders at the college pertaining to cyber security, especially on a communication plan if there is a breach, added Monty McGee, associate director of the Cyber Readiness Institute.
Related article: Has remote learning made colleges more cyber-vulnerable?