EfficientIP recently released their 2018 Global DNS Threat Report which found that the higher education industry ranks as one of the worst industries to handle potential cyber threats. The report calls out that cost per Domain Name System (DNS) based attack increased significantly by 68% to $690,000 in the education industry last year.
Universities are not only susceptible to financial losses from security breaches, but also reputation damage. Publicized breaches, like the 2017 Equifax breach, can severely affect a company or university’s reputation, resulting in drops in applications and enrollment, loss of donations and grants, or a negative impact to brand loyalty among students and alumni.
Considering colleges and universities are at high risk for cyber-attacks, it is no surprise that “Information Security” was ranked first on the 2018 Top 10 IT Issues for higher education. Higher education leadership has been investing in cybersecurity in the past years, however, the looming threat is that software ecosystem is changing every day, and hackers are becoming increasingly sophisticated. Currently, many IT departments are in reactive mode – responding to threats and new compliance initiatives as they come. Instead, institutions should be developing a proactive strategy that will both mitigate risk and allow institutions to quickly recover in the event of an attack.
We took a look at recent reports and articles surrounding proactive approaches to cybersecurity and compiled 6 best practices higher education institutions can implement to ensure they are prepared to battle public enemy number 1 for IT: Information Security.
- Start with good cyber hygiene.
Last year, Digital Citizens Alliance reported that cyber criminals are sharing millions of higher education institution’s emails and passwords on the dark web. One of the first basic cyber hygiene best practices is secure passwords. Best practices for secure passwords include: using a mix of characters, not re-using university provided passwords, changing annually, and never sharing your password.
Another basic best practice is to keep your software clean. That means regular updates and applying security patches as soon as they become available. According to the Global DNS Threat Report mentioned above, about 73% of institutions took over three days or more to apply a patch after a notification. Unpatched systems are one of the biggest risk factors in attacks, so cutting down on this lag time can help reduce the risk of an attack from the start.
- Make campus wide buy-in a priority.
According to the Verizon 2016 Data Breach investigation report, about a third of victims opened deceptive emails that appeared to be from a trusted person, but they included malicious links or attachments. This type of cyberattack, known as phishing, is extremely common and requires all members of campus knowing what threats to look out for. Considering “all members of campus” include students, faculty, staff, and even alumni and parents – a cybersecurity awareness campaign of this size can be challenging.
Many colleges and universities have begun kicking off campaigns during Cybersecurity Awareness Month, which occurs in October. To develop your own Cybersecurity Awareness Campaign, StaySafeOnline by National Cyber Security Alliance is a great place to find free resources like campaign themes, content ideas, and even sample social media posts. Last October, Northwestern kicked off a year-long campaign that featured promotional materials like posters focusing on two topics per quarter, like phishing and password security. On their IT site, they also offer videos explaining two-factor authentication and even a list of the most recent scam email attempts at Northwestern.
- Take an assessment or audit of your current IT landscape.
The more you know where your vulnerabilities are, the better prepared you can be to prevent against them. If you already have cybersecurity policies in place, a formal audit can help you validate whether your university is enforcing the policies that were set. Audits are typically performed by third-parties.
If you don’t have clear cybersecurity policies in place, an assessment of your technology infrastructure, organizational policies, and user-training can give you the full picture of where your biggest risks lie.
According to Susan Grajek, Educause’s vice president for data, research and analytics-hacking, malware, and phishing make up the top three threats for universities. By taking an assessment or audit of your current policies, you can focus on what your institution is doing to mitigate risk for these top threats.
- Always back it up.
A consistent back-up schedule and storage system can prevent a world of stress and costs if your data has been compromised. Christopher Thomas, a special agent in the cybersecurity unit at the FBI’s Sacramento field office, warns that ransomware attacks can lock colleges and universities out of their own systems and request large sums of money to unlock them. He noted, the FBI does not recommend paying ransom to hackers, and the data is often not restored even after they receive payment.
The best way to mitigate risk is to have multiple back-ups of your data and consider storing it on a secure cloud-based solution. That way, if your data is compromised in any way, you are able to restore your data and systems after the attack.
- Follow national standards and practices.
A number of industry and national best practices have been published and should be used as a go-to resource when developing your institution’s cybersecurity standards. The Center for Internet Security released its Critical Security Controls, and all institutions are strongly advised to follow these actions. CIS Controls includes three categories: basic, foundational, and organizational. The resource is completely free to download here.
There are also number of other accepted secure configuration and standards resources including the National Institute of Standards and Technology (NIST) and the Government Accountability Office (GAO).
These resources can not only help you develop the framework for your cybersecurity protocol on campus, but they can also help define stances on items like encryption, port access, and multi-factor authentication.
- Implement an Enterprise Risk Management Program.
Using the best practices noted above, you can develop an Enterprise Risk Management Program (ERM) that will enable your institution “to avert crises and lessen the impact of those that do occur”, notes Vicki VanDenBerg, a higher education practice leader.
By having an ERM in place, you can ensure that your institution is fully prepared in the event of an attack. Being prepared means not only enabling your staff to recognize attacks like phishing scams before they are able to implement them, but also being able to act swiftly if an attack is carried through.
So how do you create an ERM program? To start, buy-in from leadership is crucial to the program’s success. A board should be established that will oversee the program and appoint an owner of the program. The board and owner should also identify program “champions” throughout departments across campus, which can make campus wide implementation an easier process.
Once a board and owner are established, the goals of the program should be established. These might include:
- Identify current risks (using your audit or assessment listed in best practice #3)
- Determine likelihood of current risks
- Develop mitigation strategies based on those risks
- Document strategies and create a continuous feedback loop between leadership and the risk owners
A great example of an ERM carried out at a higher education institution is University of California’s ERM. They’ve developed a robust program that offers resources, templates, and guidelines for strategically managing risk. As a part of the program, “UC Ready” was created, which serves as a framework for what to do in the event of a natural disaster or IT disaster.
Although, there is no fool proof method, by implementing the 6 best practices listed above, colleges and universities can feel better prepared to not only prevent cyber-attacks, but also to swiftly remedy the situation if an event does occur and ensure as little damage as possible.