2 ways universities are mitigating cybersecurity risks in a complex environment

Balancing accessibility with security also depends on the hard work of up-front risk assessment.
Rob Jonkers
Rob Jonkershttps://www.sap.com/about/trust-center.html
Rob Jonkers is global senior director of higher education & research at SAP, a data protection service.

Picture this: You have a broad mix of faculty, staff, students, service providers, collaborators and visitors interacting with the school networks and data. You have a kaleidoscope of departments, institutes and centers that have developed their own unique IT infrastructure. If you’re at a research university, there are troves of potentially valuable data relating to defense and national security. And to top it off, your institution’s bedrock philosophy embraces openness and academic freedom.

In other words, universities are magnets for hackers.

No surprise then, that a recent Sophos survey found that the education sector had the highest rates of ransomware attacks of all industries surveyed. And not all attacks involve ransoms some just quietly want the data. Particularly for research universities, the costs are more than financial. If you can’t be trusted with the data, industry and government research funders may look elsewhere. For large U.S. research institutions, boosting research-related security is now a mandate. The U.S. government’s NSPM-33 Implementation Guidance requires any institution receiving more than $50 million in federal research funding to establish a research security program. Cybersecurity is a key component of that.

Consider a university in the Middle East we work with. It has over 175 business applications, more than 100 research applications, 80 IT services, 1,500 physical and virtual servers, 1,000 workstations, 8,000 laptops, and more than 8,000 user accounts. That’s huge complexity at a not-so-huge university, and that’s the norm rather than the exception.

Higher ed institutions are adapting in two ways. The first is doing the hard work of understanding the potential risks and consequences of possible IT breaches and then tailoring their IT security practices to those risks in a way that balances openness and caution. The second is recognizing that IT security is yet another reason to move to the cloud.

Security risk assessment

No disrespect to Shakespeare scholars, but the probability of an English department’s faculty publication database hack are lower and lesser than those of the breach of a server housing data from a government-funded program studying advanced hypersonic propulsion. At the same time, employee and student databases related to English and aerospace engineering specialists must be similarly protected.

Taking a risk-based approach to IT security involves asking a lot of questions. How valuable is the data to us? How valuable would it be to an economic or geopolitical rival? How damaging would its sale on the dark web be? How hard would it be to recover it if erased? With those answers, you can embark on asking people- and process-related questions.

Who’s responsible for research-related IT security? Which outsiders (academic, corporate, or government collaborators) are your research groups who host sensitive data working with? Are there procedures to identify new or high-risk collaborations? What are you doing, particularly in high-risk areas, to foster a security-aware culture at your institution? Check out the United Kingdom government’s Trusted Research guidelines, which I highly recommend, for more on this.

Going to the cloud

Then comes technology. Just a few years ago, security was considered a reason not to move mission-critical systems to the cloud. Now it’s a driver of cloud transition. Off-premise environments are more physically secure in terms of physical access, server maintenance, and the ability to survive natural disasters. Cloud-based systems are continually updated – including with security patches – which avoids on-prem upgrades that can lag because previous customizations have to be reimplemented. Old software is vulnerable software.

Cloud-based security solutions themselves then further enhance security. These solutions encompass the entirety of an institution’s cloud-based core ERP systems and interface with third-party specialists in access control, endpoint detection and response, vulnerability monitoring, and antivirus solutions, among others. That’s vital because high-risk research projects with their own specialized IT tools may need added protection.

Cloud-based security also enables real-time visibility into the status of your IT security measures. You can monitor compliance with data-protection laws and guidelines; review operational-, network-, application-, and data-security measures you have in place; confirm service-level agreements (SLAs); check uptime and availability; and report on and review security issues, among other capabilities.

Perhaps foremost, cloud-based security puts your IT security in the hands of experts who live and breathe it day in and day out. Even major universities are finding it difficult to compete with the private sector for in-house IT security talent. Small- to midsize institutions have it even harder. Cloud-based security lets these institutions punch above their weight on the security front.

In higher education, the mix of academic freedom, complex IT environments, and valuable data are dry tinder to probing sparks thrown by bad actors. Cloud-based security is shielding universities from danger and stamping out fires before they spread out of control.

Most Popular