University IT officials should avoid presenting ransomware and other cybersecurity threats as an “impossible problem” when discussing them with non-technical administrators, Michael Berman, the chief information officer of the California State University system said during an online panel Thursday.
Instead, cybersecurity threats should be treated as issues that “can’t be solved,” but can be managed, he said. Berman and other university officials on the panel, hosted by the Chronicle of Higher Education, promoted openness with administrators and other institutions to deal with the increasing threat of cybersecurity attacks. That means crafting realistic plans in the event of a breach and sharing broad information about attacks so other colleges and universities can better prepare themselves.
“It’s walking that fine line between creating a sense of urgency without creating a sense of panic, because creating a sense of panic doesn’t help,” Berman said. “It doesn’t lead to a solution.”
Companies and universities often “clam up” about the details of an attack or breach to avoid damage to their reputations, Kim Milford, executive director of the Research and Education Networks Information Sharing and Analysis Center, said during the panel.
“You don’t have to tell what server they hacked, what the IP address is, what that server does, but it’s really that sort of the details stuff that that we learn from,” she said. “Where did the attack come from? How long did it last? What did they leverage as their initial attack vector?”
Prairie View A&M University, a historically Black university in Texas, temporarily shut down classes in February because of a cyberattack. University Chief Information Officer Tony Moore told his fellow panelists Thursday that the school learned the importance of multi-factor authentication and maintaining and testing back-ups. Multi-factor authentication implementation was in progress when the attack happened, he said.
Moore echoed that collaboration can strengthen cybersecurity strategies, especially if a school is working with limited resources. Some HCBUs are struggling with updating cybersecurity to meet federal guidelines; the Student Freedom Initiative, a nonprofit that focuses on students at minority-serving institutions, recently announced a plan to fund cybersecurity compliance gaps at HCBUs with a $100 million gift from Cisco.
“I think we cannot be afraid to ask for help,” Moore said, saying he meets weekly with leaders from other campuses and outside higher education institutions and leans on IT-focused organizations like Educause.
The panel took place a day after President Joe Biden gathered top officials across industries, including higher education, to discuss rising cybersecurity threats. Milford said the four most common paths for a cybersecurity attack are phishing, remote services like VPNs, public-facing applications and stolen or brute-forced user accounts. Of 300 higher education institutions surveyed by the password-software company LastPass, 88% found system infringement due to poor password management.
“Once an attacker has a student account, it’s as if you’ve set them up with a computer inside your building,” Berman said during the panel. “They’re now looking for a hole. And the reality is that we have seen very serious major ransomware attacks that started with the compromise of a single student account.”
Communication about these various threats to university administrators means using “non-technical talk” and making sure leaders can weigh the risk when making budgetary decisions, he said.
“They understand that if they don’t allocate enough money to address it that they’re rolling the dice and they’re taking a huge risk. They’re risking not being able to operate as a university,” Berman said.
Correction: Aug. 27, 2021: A previous version of this story listed Tony Moore as the president of Prairie View A&M University. He is the chief information officer.