Tips for managing trust with data
Patty Patria remembers the days when cybersecurity used to be about protecting what was in your perimeter. But, in a time when many employees continue to work remotely and many institutions migrate to cloud-based applications, there is no perimeter now.
Today, higher education institutions must leverage best practices around securing information and data like multi-factor authentication and NIST (National Institute of Standards and Technology) controls to keep accounts safe. They need Cloud Access Security Brokers to help keep cloud information secure and to ensure employees have safe home networks. And, above all else, they must educate their employees on the variety of threats that continue to litter the landscape.
Patria, VP for Information Technology and CIO at Worcester Polytechnic Institute (WPI), says the Worcester, Massachusetts-based university was fortunate to have had many of the necessary technologies in place prior to the pandemic-induced crisis. Still, like scores of other schools around the country, it had to pivot quickly to allow all employees and students to go remote over a short period of time, and continues to do so in today’s hybrid learning environment.
“We use a holistic approach in securing the hybrid learning environment,” Patria says. “Our students are required to use Multi-Factor Authentication when accessing our cloud-based systems and we are standardizing NIST password controls. We also have higher levels of security controls for systems that store sensitive data. In addition, we also educate both students and employees on best practices when creating meeting invites with Zoom or Microsoft Teams to prevent Zoom bombings and other potential security issues.”
With the rise in ransomware and active directory compromises over the last year or so, there are not enough words to express the focused effort it takes to improve a university’s security posture across all areas. “The best advice I can share is to take a holistic approach to security,” Patria says. “Security is about people, process and technology; you need to educate people, have good process controls around assets and information, and ensure you have very good technology to proactively stop attacks, but also to monitor and alert when attacks happen. Having a strong security team is also critical, and ensuring that your team receives professional development to help you keep your systems and information secure is key.”
In the fine line between maintaining continuity and anticipating future demands in the world of higher education cybersecurity, Peter Saxena’s advice is simple: Be vigilant and expect an attack at any time. To stay on top of its game, the Associate VP for IT and CIO at Roberts Wesleyan College, says the Rochester, New York, university conducts exercises once a quarter on what to do if an attack occurs.
“The key is to continuously monitor your environment and your assets for activity that is questionable and have processes in place to address these if they find an anomaly,” Saxena says. “Continue to invest in cybersecurity tools and services and progressively increase that investment over time until you are comfortable with your protection.”
Saxena believes the post-COVID era will have an increased focus on cybercrime prevention strategies, particularly since cybercrimes and attacks have been escalating. “I think IT needs to maintain an appropriate continuous posture of cybercrime prevention in order to protect an institution’s interests and digital assets. The biggest challenge we face in technology adoption is change management, which essentially is helping people move from state A to state B using the different technologies available.”
To help inspire some thoughts on holding the line on cyber activities, here are some safety steps and protocols you can review to see how yours stack up:
Increase Virtual Private Network (VPN) licenses to allow all employees and students to connect to on-premise technology securely.
Place student file shares on the cloud, and increase capacity for student and faculty access to specialized computing applications through Virtual Desktop Infrastructure (VDI).
Continually tighten security practices and monitor existing security solutions. Being able to identify issues as they arise, and investigating and addressing them quickly, is critical.
Ensure all non-IT departments comply with data security practices—and that your IT team actively monitors them. The challenge with an increasing hybrid education model is that schools have to create security in the process, i.e., ensuring faculty home computers are compliant with security software and antivirus agents.
Conduct initiatives such as vulnerability assessments and penetration testing from an outside vendor, and table-top exercises to educate key users on how to avoid cybercrime. Simulating phishing attacks, and then measuring the results and creating education for needed areas can be helpful.
Leverage security scorecards that benchmark against best practices, including protocols from the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), Bitsight and Microsoft Secure Score. Set targets for your school, and compare the results against your peers.
Leverage external vendors for routine pen tests and security assessments. With the rise in ransomware and active directory compromises over the last year, focusing on improving your security posture in these areas is critical.
Ramp up your education efforts. Sending things like security-related newsletters on a routine basis helps keep everyone on the same page. Your campus faculty, staff and students must be vigilant in their interactions with endpoint technologies and understand the factors that bring threats inadvertently in house. In addition, if a critical threat arises, you will have the communication lines queued up.
Protect your demarcation points where your institution’s data pipelines meet the internet, which means protecting your servers or areas where your systems and data are stored. Make sure your endpoints, i.e., your computers and devices that are on your network, are protected.
Find external partners to team up with. Cybersecurity is expensive and challenging, so finding partners to collaborate with can help share costs and expertise.
Recognize and prioritize students as primary stakeholders in your cybersecurity efforts. When students do not understand how their institution uses personal data, their trust in that use and confidence in how their personal data is protected erodes. School leaders and cybersecurity professionals must focus on individuals, in addition to the institution.
Take out a cybersecurity insurance policy, which can help protect your faculty and students.