In spite of our best efforts, and no small dose of wishful thinking, data breaches are occurring in alarming numbers among higher education institutions. Cyber threats put entire institutions at risk given our heavy reliance on technology and the integration of technology into just about everything we do on campus and, remotely, off campus, too.
The need to minimize institutional risk and to balance user access with security calls for an organization-wide security strategy developed around a careful assessment of your institution’s particular risks and vulnerabilities. Your security strategy should have a strong foundation of technical, administrative, and physical controls — in other words, people, processes, and technology — that work together to protect against the threats.
In 2014 alone, colleges and universities experienced almost two dozen breaches, exposing nearly a million records, according to the Privacy Rights Clearinghouse. Many were hacking incidents, exposing social security and student ID numbers; health, banking, and employment data; credit card numbers; and driver’s license information. Perhaps even more alarming is that, for several of the breaches, the type of intrusion and the numbers of records compromised were not known.
Higher education institutions can make fine targets for cyber thieves. Colleges and universities house significant amounts of sensitive data — about students, parents, alumni, staff, faculty, and research — and that data often resides in large and complex information systems. The traditional academic culture of openness and sharing may mean that higher ed institutions have to work harder at heightened vigilance to stay a step ahead of attackers.
Cybersecurity concerns — including viruses, malware, hacking, portable device use (and misuse), payment card fraud, and other types of breaches — are a high priority for many institutions. As well they should be. The costs of cyber attacks are high, whether financial, legal, or reputational.
The following best practices can help prevent your institution from becoming a victim.
Make cybersecurity a business and an organizational of priority
Your IT team should not “own” information security. Your network and data underlie much, if not all, of your institution’s mission-critical work. Keeping those assets safe is a campuswide responsibility. This may represent a shift in culture, and it’s a critical shift to make.
For its annual EDUCAUSE Top 10 IT Issues list, the Higher Education Information Security Council (HEISC) identified the three most pressing strategic issues facing the information security community. The highest priority issue identified was “developing an effective information security strategy” as a “first step in establishing information security as an institutional strategic partner rather than an operational concern,” explains a recent article in EDUCAUSE Review.
Such a strategy should focus less on specific technologies, since these are constantly evolving, and more on security goals as they relate to the institution’s overall strategic plan and mission. As you develop and refine your own security strategy, remember that information security relies upon the cooperation and coordination of people, processes, and technology. No one resource alone will do the job.
Implement, and strengthen, user awareness training
Your staff, faculty, and students are your institution’s lifeblood and greatest asset, yet they also may be a liability when it comes to cybersecurity. The growing trend of BYOD (bring your own device) and the increasing use of downloaded apps only underscore this vulnerability.
User training was the second top issue identified by the HEISC. “Making sure that students, faculty, and staff have adequate training on how to use and protect the data entrusted to and generated by the institution is of critical importance,” advised the EDUCAUSE Review article.
Awareness training and education also are priorities for the state of Michigan and its educational partners. See the related interview on page 17 with Michigan CIO David Behen about the Michigan Cyber Range and other cybersecurity initiatives.
Do thorough due diligence with IT service providers
Tempting as it may be to hurry through the due diligence process and get new applications up and running, don’t. Check the references vendors provide. Request, and review, audited financial statements. Examine the company’s internal controls, security history, and Service Organization Controls (SOC) reports. Look into any litigation or regulatory actions against the provider. Make sure your agreement includes breach notification requirements.
Take a layered approach
The unfortunate reality is that no institution can, or wants to, build walls high or thick enough to be truly secure; cybercriminals are sophisticated, and they rapidly adapt to thwart new security measures.
Instead of a massive wall, think in terms of a layered approach: Aware users (the “people” layer) effectively execute your overall IT security governance model and the policies and procedures developed to manage security (the “processes” layer). Software and hardware (the “technology” layer) enhance the effectiveness of both people and processes to better protect against threats. In this way, when — notice we didn’t say “if” — hackers infiltrate your system, you have controls in place to detect their activity quickly and limit your overall exposure.
Information security is a key part of any institution’s risk profile. Your information security strategy, programs, and practices should all be informed by your institutional risk assessment and the particular IT and other risks your organization faces. Only then can you best balance security and protection with accessibility to the valuable resources that facilitate your institution’s research, teaching, and learning.
Cybersecurity and the Michigan Cyber Range
In a model public-private partnership, the state of Michigan, along with companies like Plante Moran, and public higher education institutions are training cybersecurity pros through the Michigan Cyber Range.
Led by the Merit Network, a nonprofit corporation owned by Michigan’s four-year public universities, the Cyber Range provides a secure virtual environment where IT and information security pros can practice defending against, detecting, and responding to different types of cyber threats. At the heart of the Cyber Range is Alphaville, a virtual village currently comprised of a public library, public school system, power company, and police station. Organizations can use the cyber village for customized, hands-on training exercises.
Plante Moran spoke with state of Michigan CIO David Behen, who also directs the state’s department of technology, management, and budget, to learn more about the Michigan Cyber Range and the role of higher education as well as cybersecurity as a driver of economic development.
Plante Moran: How did the idea for the Michigan Cyber Range come about?
David Behen: The Michigan Cyber Range was an idea Governor Snyder had, and back in 2011 he had a conversation with then-Secretary [Janet] Napolitano of the Department of Homeland Security. The White House really wanted to have a Cyber Range that we could use for R&D, and Michigan took that very seriously. We made it happen.
We think of the Cyber Range as similar to a missile or firing range but for cybersecurity — viruses, malware attacks on your network, hacking, other threats. It’s also designed, from an economic development perspective, to train, retain, and attract talent. It forms the foundation of our Michigan Cyber Initiative.
The Michigan Cyber Range is the model for the United States right now. We have 14 states talking to us about it. We’re working with several private-sector companies and educational institutions. It’s one of the only unclassified ranges in the United States.
Plante Moran: How are higher education institutions involved in, and benefiting from, the Cyber Range?
David Behen: The state’s higher ed institutions are involved through Merit Network, which operates the Range. Merit’s board of directors is composed of representatives from public universities in the state. In addition, Eastern Michigan University, Northern Michigan University, Ferris State, and Wayne State are Cyber Range hubs — they have pieces of Cyber Range infrastructure at their universities. We continue to talk to other schools, too.
It’s important that educational institutions are involved. Frankly, that’s where a good part of our talent is. We’re also working with some of the state’s community colleges, including Wayne County Community College [in Detroit] and Washtenaw Community College [in Ann Arbor]. As we think about the IT skills of the future, we have to think about how we further engage the community colleges and four-year universities to be a part of this.
If you look at Ferris State University and Eastern Michigan University, both have phenomenal information assurance and cybersecurity programs. Their involvement in the Cyber Range allows them to broaden their curricula and enable students to benefit from hands-on experience.
Plante Moran: How do the state and its security initiatives benefit from having higher ed institutions involved?
David Behen: We can’t do this on our own. The more we can do to retain and attract talent through use of the Cyber Range at our universities and community colleges — and high schools at some point — not just within the state but throughout the Midwest and nationally, the better. There is negative unemployment right now in cybersecurity; there are more jobs to fill than people with the skills needed to fill them. Michigan is doing a great job to prepare students and IT professionals for taking on these very important roles in the future.
Plante Moran: Can you talk about higher education involvement in other state cybersecurity initiatives?
David Behen: One of the things we’ve been successful with in the past and now are really pushing is cybersecurity education and awareness training. About 80 percent of attacks could be stopped if end users like us were appropriately trained and educated on the proper use of technology. We’ve already trained more than 47,000 state employees online. Now we need to push that into the education arena. If you think about students, they’re immersed in technology. We need to educate them, give them tools, and skills, and resources to protect themselves and others. Another project is the Michigan Cyber Civilian Corps. Think of 10 teams of five members each, like volunteer firefighters, situated throughout the state in our economic prosperity zones. In a cyberattack, they could step up and assist small businesses, educational institutions, and government to respond. With teams throughout the state, think of the dialogue and conversations that would happen with these cybersecurity experts — not only when they respond to an attack but in educational settings, where they can talk about cybersecurity and raise awareness. It’s very powerful.