Higher Ed Cyber Threats: What you can do to defend your campus

Adapting to the new security realities
By: | Issue: October, 2019 | Web Seminar Digest
September 26, 2019

Colleges and universities face a variety of unique cybersecurity threats. While allowing access to networks, institutions have to accommodate a constant churn of new users and thousands of BYOD devices—often under tight budgets. Cyberattacks can target valuable research data, as well as personal and financial information.

This web seminar discussed the new cyber threat landscape in higher ed, how to ensure
that an institution is compliant with recent federal cybersecurity regulations, and some defensive strategies to help any college or university leader.


Christian Schreiber
Higher Education Cybersecurity Lead

Barry Brummund
University of Arizona

Christian Schreiber: We’re seeing some broad trends. One of the big ones capturing headlines is ransomware, and a big shift this past year is that ransomware has moved from opportunistic attacks to picking victims intentionally. Another threat for higher ed institutions is compromised email accounts—either to carry out an attack or to sell university email addresses on the dark web.

We’re definitely seeing more awareness with nontechnology stakeholders. Just in the past year, multiple universities have asked for cybersecurity experts to speak to the board, and presidents and chancellors are becoming more aware. This is a double-edged sword. Cybersecurity is no longer a technical issue that’s buried deep inside IT; it’s something that boards and auditors and others are aware of now. The flip side is that they’re expecting the answers from you, as technology leaders, in terms of what you’re doing around cybersecurity.

I hear university IT leaders say, “We’re just a university; what could somebody possibly want with our environment?” There are a few motivations for these types of attacks. The most simple is financial; they want to get data that they can sell. Other goals include causing disruption, exploiting infrastructure to attack others, targeting researchers, satisfying geopolitical objectives and stealing credentials.

Barry Brummund: We have 100,000 devices connected to our network each day, most of which are brought to campus by students or visitors. We’ve made a fairly substantial number of investments into our information security infrastructure and, in particular, into the infrastructure that we use to conduct research. We felt that the time was right to do so—from a technology perspective and from pressing external needs, namely contractual clauses passed down from the federal government.

One thing we’ve done is implement multifactor authentication for all of our faculty, staff and students. We thought it was going to be extraordinarily difficult and aspirational, but we were successful, and multifactor authentication has helped reduce risks.

In 2016, we recognized a need to build an environment where we could safely undertake very regulated research. It took us 16 months—from the business plan and ideation period to having the infrastructure in place and the service fully available.

“Setting up your own regulated research environment requires specific, dedicated resourcing and understanding that each of the different environments has specific requirements for success.”

The work has been a partnership among our Office for Research, Discovery & Innovation; University Information Technology Services; and central administrative units. The customers are our colleges in engineering and colleges of optical sciences, among others, as well as our IT staff. And we have a specific governance process and a group in place to handle resource and prioritization questions, and also to assist with feedback and with communications.

We have a couple of recommendations for those in higher ed who may want to set up their own regulated research environments.

First is that this requires specific, dedicated resourcing, and the second is understanding that each of the different environments has specific requirements for success. Plan for a project initiation and build for each of the contracts that gets signed, and anticipate an underpinning of consistent build infrastructure. That code can be leveraged, but it will likely need modifications to account for specific per-project needs.

Christian Schreiber: How can you build resilience into your cyber programs rather than taking a reactive approach? While you can never have 100 percent prevention, focus on these three strategies for resilience:

1. Prevent what you can. Get the best protection technologies you can afford.

2. Ensure that you’re also enabling detection, response and recovery. Because some attacks will get through your protection technologies, make sure that you’re investing in detection and response capabilities to help you catch those things that do get through.

3. Proactively improve your efficiencies and manage your costs. For higher education, I like the National Institute of Standards and Technology’s cybersecurity framework. It’s free to download, and it aligns with the cyber risk framework the federal government is using.

To watch this web seminar in its entirety, please visit UBmag.me/ws081419