During my tenure in the U.S. Air Force Cyber Command and years in corporate cybersecurity, I have seen many institutions of higher education struggle with cybersecurity. Unfortunately, Department of Defense academic institutions, as well as public and private colleges and universities, have had to deal with some security specialists who fail to comprehend academia’s core operating objectives. As a result, such specialists may attempt to provide institutions of higher ed with cookie cutter security solutions.
Designing the right cybersecurity plan
To be effective, cybersecurity processes and solutions must be compatible with an academic environment. Security strategies must be designed to complement and protect academia’s mission of facilitating knowledge and information sharing.
Higher ed institutions are vastly different from most private- and public-sector organizations. Those organizations’ operating procedures incorporate the inherent objective of protecting data and information from public disclosure. In contrast, the operating mantra of colleges and universities is to widely distribute and share information with little to no restrictions.
Surprisingly, the operational philosophy of sharing most information simplifies the scope of cybersecurity. Rather than attempting to secure all data, higher ed starts from the other end of the spectrum by defining the small subset of sensitive data that must have increased security protection. Hence, the scope of cybersecurity for higher ed can typically be more focused and achievable.
Colleges and universities are unique in regard to cybersecurity risk mitigation. Their success and sustainability relies heavily on reputation. Public disclosure of a cybersecurity breach that compromised an institution’s trusted intellectual property, the personally identifiable information of alumni or students, or donor financial information can lead to a loss of confidence in the institution’s academic stature and leadership.
Security strategies must be designed to complement and protect academia’s mission of facilitating knowledge and information sharing.
Here are answers to the top three questions higher ed leaders ask when addressing cybersecurity risk management on campus.
1. Is there any one risk that seems to plague institutions more than others?
Effective security cannot begin until the object of protection is identified. Identifying sensitive data can become problematic for an academic institution due to potentially conflicting objectives among academicians, researchers, administrative staff, management and the board of trustees. One group may advocate unlimited access to research data to maximize knowledge from the brightest minds available. Another group could view that same research project as creating confidential intellectual property that could potentially be monetized by the institution and therefore must be tightly controlled. Working through this potential conflict paves the way for the implementation of effective security measures.
Read: Voices in Tech: Taking cybersecurity seriously
2. How can higher ed institutions resolve vulnerabilities?
Typically, higher ed security staffs are minimally resourced, and many IT personnel simultaneously perform IT and security duties. Incorporating outside security expertise can assist in quickly identifying potential sensitive information vulnerabilities and provide security measure options for risk reduction. With an effective cybersecurity strategy and measures in place, IT departments can work more efficiently. To maintain a solid security posture, audit and compliance personnel should fill the roll of making sure basic security measures do not atrophy and are monitored in a consistent manner.
Read: Cyber insurance checklist: 4 ways to avoid missteps in purchasing
3. What are some best practices and/or policies to consider?
Execute the basic cybersecurity principles well. Some basic security best practices include: segmentation, least privilege and data reduction. Once sensitive data is identified, isolate it from the enterprise general information to reduce the risk of unauthorized exposure or exfiltration. Least privilege refers to controlled access to information. Everyone should only have the minimum amount of access to the sensitive data repositories that are essential to accomplishing their job. Once the sensitive information access list is pared down to a minimal number, those individuals should be further protected from fraud or information theft by instituting multifactor authentication. In addition, those same trusted individuals should have their mobile devices, with which they can access sensitive data, encrypted so that if the devices are lost or stolen, the information that resides on the devices cannot be accessed by an unauthorized individual.
Retired Brig. Gen. Charles Shugg of the U.S. Air Force is chief operating officer and partner for the Sylint Group Inc. He provides strategic guidance and insight for an elite team of cybersecurity and digital data forensic professionals supplying security strategy and incident response to Fortune 100 companies, nonprofit organizations and academic institutions. Shugg is a UB Tech® featured speaker, presenting the “Cyber Security Breaches: A Review of Recent University Case Studies and Lessons Learned” session.
For all UB Tech® news, click here.
