Net neutrality changes expected to have big implications for education
December 14, 2017
The FCC's decision on Thursday to pass a sweeping repeal of Obama-era net neutrality rules will resonate in K-12 and higher ed, educators say.
Commentary: Universities need buy-in from provosts, trustees to initiate approach to data and technology.
Jason Crist is the Regional Vice President of Sales for State, Local and Education at Symantec West....
Ohio State University is one of the largest public institutions in the United States, featuring 15 colleges that offer more than 12,000 courses across more than 200 undergraduate majors. To put it simply: It’s big and it’s very decentralized.
While most higher education institutions cannot match Ohio State’s sheer size, they do possess a similar decentralized structure. With so many schools, colleges and offices making up the typical university system, these institutions often match the largest government agencies, private sector businesses and nonprofits in their complexity.
This structure, though, can cause major problems when it comes to cybersecurity. As is often the case, the individual schools and colleges within a university feature different security systems, policies and procedures. They feature no true central management and can serve as easy — and popular — targets for cyberattack. As such, universities as a whole need to create a centralized approach with robust security standards, strong governance and technologies built to work with one another.
A sector under attack
Higher education institutions are ripe targets for cyberattacks. These institutions not only have a wealth of personally identifiable information of students, professors and staff, but also proprietary information such as course materials, research and intellectual property.
As The New York Times pointed out, Penn State University, which suffered a cybersecurity breach in 2015, must manage more than 20 million hostile attacks on any given day.
“Universities and colleges are among the most difficult environments because they are the pioneers of the modern internet and have legacy systems, approaches to security, and most importantly, cultures that predate our current hostile internet environment by decades,” said David Shipley in an EDUCAUSE Review blog. “They're also the birthplace of BYOD [bring-your-own-device] and often operate in highly decentralized IT environments. And universities and colleges aren't the kinds of institutions that adjust to change rapidly.”
The time for change, though, is now.
An integrated cyberdefense approach
An integrated cyberdefense approach is one that focuses on securing data at all phases of its life cycle, with an emphasis on visibility in an effort to reduce risk and drive efficiency. Integrated cyberdefense involves using a cybersecurity system with components that are built to work together and pieces that complement and assist one another — as opposed to those that are forced into a system and work independently, only opening up additional vulnerabilities.
Higher education institutions have fallen in love in recent years with what I call the “Shiny Object Theory.” They get sold a piece of security technology developed to fix one problem. It is seen as a panacea to security, but that piece typically does not work with other systems in place. Just because it is the “best” at what it does does not make it the best for every environment.
Conversely, integrated cyberdefense focuses on data. The system protects data wherever it is — from collection and use to transit and rest. The goal is for administrators to know what is happening with their data at all times: Who has it, where it is, what it is being used for and if anything out of the norm is occurring.
This is accomplished by higher education institutions implementing a more holistic approach to cybersecurity that focuses on five key areas of improvement, including:
These steps are critical to ensuring proper security in any enterprise, but especially for higher education. They can help create a more centralized environment that will be easier to manage while providing enhanced security.
The biggest challenge for higher education will be taking the steps to initiate this approach. It begins with the provosts and the universities’ board of trustees. These leaders must understand the importance of protecting data and empower technology leaders to implement a university-wide approach.
With that buy-in, university technology leaders should seek out an assessment to identify their current risk environment. That could be accomplished by using the National Institute of Standards and Technology’s Cybersecurity Framework as a baseline to determine where the holes exist and how best to address them. Essentially, this will give universities a sense of where they’re starting and how best to proceed.
From there, these institutions can begin developing a risk management plan that transitions from legacy and shiny-object based systems to an integrated approach. These types of changes are not easy. It involves the buy-in of leadership, a concerted effort to make change throughout a large system and a breaking of traditional silos.
Given the number of breaches to both large and small universities, a change in philosophy is clearly necessary. Cybersecurity is not about the best technology at a given point in time. It is about how people and technology can work together to create a system that protects data across its life cycle, while still making it accessible and usable by stakeholders.
Jason Crist is the Regional Vice President of Sale for State, Local and Education at Symantec West.
Editor's note: This article was updated to correct the attribution of a quote in the story. The quote came from David Shipley, writing in an EDUCAUSE blog, not from EDUCAUSE itself, as was originally published.