Ohio State University is one of the largest public institutions in the United States, featuring 15 colleges that offer more than 12,000 courses across more than 200 undergraduate majors. To put it simply: It’s big and it’s very decentralized.
While most higher education institutions cannot match Ohio State’s sheer size, they do possess a similar decentralized structure. With so many schools, colleges and offices making up the typical university system, these institutions often match the largest government agencies, private sector businesses and nonprofits in their complexity.
This structure, though, can cause major problems when it comes to cybersecurity. As is often the case, the individual schools and colleges within a university feature different security systems, policies and procedures. They feature no true central management and can serve as easy — and popular — targets for cyberattack. As such, universities as a whole need to create a centralized approach with robust security standards, strong governance and technologies built to work with one another.
A sector under attack
Higher education institutions are ripe targets for cyberattacks. These institutions not only have a wealth of personally identifiable information of students, professors and staff, but also proprietary information such as course materials, research and intellectual property.
As The New York Times pointed out, Penn State University, which suffered a cybersecurity breach in 2015, must manage more than 20 million hostile attacks on any given day.
“Universities and colleges are among the most difficult environments because they are the pioneers of the modern internet and have legacy systems, approaches to security, and most importantly, cultures that predate our current hostile internet environment by decades,” said David Shipley in an EDUCAUSE Review blog. “They’re also the birthplace of BYOD [bring-your-own-device] and often operate in highly decentralized IT environments. And universities and colleges aren’t the kinds of institutions that adjust to change rapidly.”
The time for change, though, is now.
An integrated cyberdefense approach
An integrated cyberdefense approach is one that focuses on securing data at all phases of its life cycle, with an emphasis on visibility in an effort to reduce risk and drive efficiency. Integrated cyberdefense involves using a cybersecurity system with components that are built to work together and pieces that complement and assist one another — as opposed to those that are forced into a system and work independently, only opening up additional vulnerabilities.
Higher education institutions have fallen in love in recent years with what I call the “Shiny Object Theory.” They get sold a piece of security technology developed to fix one problem. It is seen as a panacea to security, but that piece typically does not work with other systems in place. Just because it is the “best” at what it does does not make it the best for every environment.
Conversely, integrated cyberdefense focuses on data. The system protects data wherever it is — from collection and use to transit and rest. The goal is for administrators to know what is happening with their data at all times: Who has it, where it is, what it is being used for and if anything out of the norm is occurring.
This is accomplished by higher education institutions implementing a more holistic approach to cybersecurity that focuses on five key areas of improvement, including:
- Governance and compliance: With higher education institutions so decentralized, these organizations need to create a cohesive set of governance and compliance rules to manage the environment. All components should follow the same set of rules and know where and how to report issues, receive guidance and share information.
- Access control: With such large systems, universities need to know who can access what information and ensure that they have set policies in place. Higher education institutions should set up multi-factor authentication that allows them to maintain productivity while ensuring only authorized users have access to networks and applications. This will also help manage shadow IT and deter unsanctioned usage of cloud and other web applications.
- Information protection: As noted, it is important to ensure data is protected at every stage of its life cycle. Universities need to use data loss prevention technologies to help identify and encrypt their most sensitive information. They must also control endpoints from on-premises environments to the cloud, and control access to sensitive data on mobile devices.
- Infrastructure management: Higher education institutions should look to layered protection that can expand the reach of their defenses to multiple policy enforcement points, including endpoints, networks and the cloud. Universities should also harness multi-vector telemetry to secure all their domains with access to the security industry’s deepest set of telemetry data across the web, internet, email and endpoints.
- Infrastructure and cloud protection: To protect their infrastructure, universities need to ensure they stay secure in the cloud. That includes providing complete workload protection and monitoring workloads across public and private clouds. Universities should also deploy trusted security controls to harden their workloads in an effort to protect against zero-day threats and targeted attacks.
These steps are critical to ensuring proper security in any enterprise, but especially for higher education. They can help create a more centralized environment that will be easier to manage while providing enhanced security.
The biggest challenge for higher education will be taking the steps to initiate this approach. It begins with the provosts and the universities’ board of trustees. These leaders must understand the importance of protecting data and empower technology leaders to implement a university-wide approach.
With that buy-in, university technology leaders should seek out an assessment to identify their current risk environment. That could be accomplished by using the National Institute of Standards and Technology’s Cybersecurity Framework as a baseline to determine where the holes exist and how best to address them. Essentially, this will give universities a sense of where they’re starting and how best to proceed.
From there, these institutions can begin developing a risk management plan that transitions from legacy and shiny-object based systems to an integrated approach. These types of changes are not easy. It involves the buy-in of leadership, a concerted effort to make change throughout a large system and a breaking of traditional silos.
Given the number of breaches to both large and small universities, a change in philosophy is clearly necessary. Cybersecurity is not about the best technology at a given point in time. It is about how people and technology can work together to create a system that protects data across its life cycle, while still making it accessible and usable by stakeholders.
Jason Crist is the Regional Vice President of Sale for State, Local and Education at Symantec West.
Editor’s note: This article was updated to correct the attribution of a quote in the story. The quote came from David Shipley, writing in an EDUCAUSE blog, not from EDUCAUSE itself, as was originally published.