Colleges and universities rolled out technologies over the past two years to deal with new teaching and learning models during the pandemic. While institutions were implementing new technology tools and increasing accessibility to meet the changing needs of students and professors, they may not have included satisfactory protocols to secure data. Then cyber hackers got to work targeting higher education to take advantage of these vulnerabilities.
Fierce Technology’s recent virtual event, Higher Education: Technology Profiles in Success – Spring, brought together education technology and higher education leaders to discuss the most pressing issues currently facing colleges and universities. The Cyber Crackdown: Keeping Student/University Data Safe session featured Greg Flanik, CIO & Technology Leader, Baldwin Wallace University, who discussed the security steps that institutions need to take to keep their data secure and stay one step ahead of bad actors and cyber threats.
Flanik introduced his institution’s IT security strategy framework, stressing that cyber risk and mitigation strategy should be treated similarly to any other business risk and with the objective of enabling business performance and creating sustainable value. “Eliminate the technology talk, bring in business units and leaders, identify the risks, overall risk appetite and important information and applications, consider regulatory requirements and assess risk, threats and vulnerabilities,” Flanik said. “Make sure you’re protecting what matters most and tie strategies to business drivers. Make sure what you set up is sustainable. Get governance right and optimize business performance so you make sure you are running efficiently.”
Flanik encouraged institutions to take a University-wide approach to building a business continuity plan. “Look at what assets are needed to keep the organization functioning in the event of a cyberattack,” he advised. He also noted that a good resource for universities is the Verizon Data Breach Investigations Report (DBIR) which includes higher education vertical information that identifies some main threats to give institutions a framework for responding to threats if they don’t have a plan in place.
Typical cyber risks are financially oriented, and common attack methods include phishing, malware and compromised credentials, as well as denial of service and malicious insiders. “We’ve seen all of these threats at our university,” Flanik explained. “Setting up programs that address these issues will put you in good shape at setting up a cyber protection strategy.”
During the session, Flanik discussed The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Cyber Security Framework, which universities should consult in developing their own security framework.
“Our target is to get to a measured, controlled environment based on a school our sized and with our budget,” Flanik said. “It would be nice to be fully-optimized, but there are only so many resources we have to secure our environment.”
Budgets and resources are stretched, of course. An audience poll revealed that among audience members, only 23 percent of institutions have enough funding and resources to protect the university and students from a cyberattack. Another 23 percent said no, and 52 percent are still evaluating the situation.
But every college or university has to take some action to protect data. Flanik said that at a minimum, universities should take the following measures to protect their data:
- Security awareness training
- Phishing tests to students, staff and faculty that can be analyzed
- A solid cloud strategy
- Multi-factor authentication
- Data loss prevention program
Register to watch this session on-demand here.
For more articles from the event see:
Assessing College and University Students in Blended Learning Environments
Technology Critical to Facilitate Higher Education Decision-Making