Higher Education

Cybersecurity in higher education: going from ‘no’ to ‘know’

Cybersecurity is critical to higher education, so it must become an enabler of the business, not an impediment.

May 26, 2021

(Getty Images)

Data breaches are among the greatest sources of risk for higher education institutions, so it’s not surprising that even before the pandemic, privacy and security concerns headed up the list of worries for IT teams at colleges and universities. But when teaching and learning moved to homes and parking lots in the spring of 2020, end-user security protection immediately became more difficult to manage, yet even more important to maintain.

In a poll of 154 institutions, more than 40% reported that security tasks have become much more important in the past year. The pandemic’s massive shift to remote work and remote learning heightened institutional security and privacy risks across numerous areas. For example, the number of home personal devices storing and using institutional data increased exponentially. Privacy issues emerged around video conferencing from home as family members — and smart home assistants like Alexa — could overhear confidential conversation. Security around video conferencing platforms and the advent of “Zoombombing” also became a concern.

As the world moves more and more online, cybersecurity risks will continue to increase in number and complexity, so risk mitigation and protection will become central to the ability of institutions to fulfill their educational missions. Going forward, cybersecurity must be viewed as an enabler rather than an impediment to learning, and campus information security departments must become “the office of know” instead of “the office of no.” They must identify key trends and emerging technologies that will add to the efficiency and protection of their campuses and students.

The pandemic has accelerated the growth of endpoint devices — including computers, laptops, smartphones and tablets — that are owned and operated by the average person. With 70% of all security breaches originating at these endpoint devices, rapid risk detection and response is becoming a necessity for IT security. And since many students, educators and staff are likely to continue working off campus, ongoing training for security awareness, outreach and communication will remain essential.

Institutions should consider technologies and practices that make it easier for students and faculty members to use cybersecurity best practices. Multi-factor authentication requires users to present two or more pieces of evidence to verify their identities, which can protect against bad actors who typically don’t have access to more than one factor.

However, MFA can be cumbersome if not coupled with single sign-on, where users can authenticate across several related, yet independent software systems. By using both MFA and single sign-on, institutions can eliminate the need for multiple usernames and passwords to manage the user experience for students and faculty, making it easier for them to access institutional platforms and apps in a secure way.

Institutions should also be mindful of how they’re collecting and using student data, while upholding transparent data-governance standards. Students expect their institutions to use their data ethically and responsibly, but frequently lack an understanding of how institutions use their personal data.

Higher education chief information security officers should increasingly focus on enabling the effective and secure use of all technology on campus. These leaders need to work collaboratively across departments and with students to improve information-security governance, compliance, data protection and privacy programs. With a focus on effective leadership and implementation of technologies and practices to strengthen overall information security, higher education may emerge from the pandemic better able to manage the cybersecurity risks that will no doubt continue to surface.

Brian Kelly is the director of the cybersecurity program at Educause. He’s also an adjunct instructor at Naugatuck Valley Community College in Waterbury, Connecticut, and was previously the chief information security officer for Quinnipiac University in Hamden, Connecticut.