“Everyone” should be involved in preparations for cyberattacks, including senior university leaders who lack technical expertise, speakers said during a virtual event Wednesday hosted by the University of California.
Making sure everyone knows areas of responsibility and who to call when there’s a breach — and practicing those responses — can help organizations prevent chaos, said Brett Yeager, a special agent in the FBI’s Cyber Division. Figuring out who to contact beforehand and running tabletop exercises can help universities respond to incidents more effectively because cybersecurity staff won’t have to wait for approval before taking action, he said.
“They’re not getting bogged down with a bunch of queries and questions to provide those updates,” Yeager said during the event.
Colleges and universities, which manage federal research data in addition to the personal and financial information of students and staff, continue to face a barrage of ransomware and other cyberattacks, which often disrupt operations.
Part of smoothing the response process involves determining an institution’s risk tolerance, which requires input from many offices and departments, said Kim Milford, executive director of the Research and Education Networks Information Sharing and Analysis Center. For example, chief financial officers should be involved in whether universities pay ransoms, she said.
“That has to be a tabletop at a very high level to get those decisions in place so that you have your policy and your procedures lined up,” Milford said. “You don’t want to be doing that in the middle of an incident — you want to have it in advance of the incident so that you can concentrate on managing the incident and not being a victim of the incident.”
In the FBI’s work with universities and colleges, Yeager said he’s noticed that institutions benefit from reaching out to peer institutions and law enforcement as part of their incident response planning. Those schools tend to have a better handle on where their data is stored and their plans to protect it against university cyberattacks, he said.
“They’re doing a very loud incident response [and are] not able to kind of methodically work their way through it,” he said of institutions that haven’t adequately prepared. “Also what I fear the most is a lot of times, they’re not in a position to really understand ‘how did his adversary get into the system in the first place, and how was the adversary able to move through the system?’ They just try to clean it up, patch it and move on.”
Conducting routine risk assessments can help inform university leaders as they develop risk-tolerance and response plans, said University of California Chief Operating Officer Rachael Nava said during the event. She said universities need “comprehensive conversations” across their organizations about response and how to spend a limited cybersecurity budget to shore up operations.
“Your IT professionals can help you quantify the risks that you’re facing, but then it’s up to the leaders and the business leaders then to weigh up what do those metrics mean,” she said.