A recent study of the threat potential for a comprehensive set of industries called out higher education as one of the most targeted. In the past couple of years, cyberattacks have increased by 68%, and the average cost of each attack is almost $700,000. Colleges stand to lose a great deal when attacked— beyond just the theft of data and financial loss from ransom demands, they also risk reputation damage that can negatively impact student recruiting and potential for advantages such as research grants.
As we know in today’s global, data-rich economy, all organizations face cybersecurity risks. Some are manifested in attacks that go after individuals for their personal information for financial or other types of exploitation. In other cases, the security targets include intellectual property and system-wide information. Organizations that touch large numbers of stakeholders are targeted because of the variety of data and multiple access points they offer.
Higher education institutions fall into this category and have become attractive targets for attack. They serve a disparate audience of constituents, and they store and transact with sensitive data about all of their different stakeholders. Because of this, colleges and universities require a structured security roadmap that enables flexible access to data and records, but protects also students, faculty, employees, and other stakeholders within the higher education ecosystem.
The Security Risks for Higher Education
University IT departments are responsible for the managing, securing, storing, and ultimately, protecting a massive amount of data including students (student information includes personally identifiable information [PII] like student records, financial aid information, and healthcare data, among other things), staff and faculty HR records, operational data, and records related to government grants and research, much of which is sensitive in nature.
Attackers go after private, critical data through a variety of tactics, including:
- Cloud attacks: with more higher education institutions rapidly moving critical workloads to the cloud, hackers are exploiting aspects of the shared responsibility model that leave holes in workloads and cloud environments.
- Phishing: one of the most common types of attacks is phishing, which is done through sending unsolicited and unscrupulous email messages that link to fraudulent websites.
- Device security: most organizations operate with “bring your own device” (BYOD) policies that enable employees and contractors to use personal smartphones, computers, and tablets for business use. Proper security protocols are often not enforced for these devices, which can leave sensitive data vulnerable.
- Malware: malware is software that has maliciously been installed on users’ computers. Various types include ransomware, viruses, worms, and adware. As recent events have shown, these malware threats are often used as a means to steal information and to commit fraud, including extortion.
- Denial of service (DoS): in DoS attacks, individuals who normally have access to systems or networks are suddenly denied the ability to view data or systems. It includes critical, university-specific applications, email, or other digital points of access.
Developing an Effective Security Framework
University IT security programs require a framework for continuous monitoring and response, one which manages threats to stakeholder data and intellectual property. This would not simply be a monitoring tool that sends alerts when certain security controls are breached. Rather, a foundation of vigilant approach must be embedded into processes and the way that schools conduct their operations.
The risks are ever-present and increasing in regularity. Education IT departments must apply a methodology that enables security regulations to be adapted to meet both the changing needs of their school, and to combat the increasing complexity of cyber-attacks.
Higher education IT departments are using business process management and workflow solutions like Process Director to understand their threat landscape and implement plans and policies that automate attack prevention. To begin the process, colleges and universities have to initiate a strategy that takes into account the data risks of the different populations they serve, as well as the processes employed across all different IT applications in use. While most schools have some set of loosely-defined guidelines, this first step demands mapping a comprehensive plan to a process-driven framework.
Necessary Steps for Higher Education Data Security
This security plan should be developed, implemented, and managed with an approach that takes into account the following elements:
Collaborate and plan effectively: awareness of stakeholder needs in higher education can be tricky; the requirements to operate effectively as a student is much different than how one functions as a faculty member. Consideration for these differences is critical because higher education comprises such a diverse set of needs and user types. Even within academic departments, there are vast differences in how workflow tools and process management is applied. Learning the work, goals, use cases, and language of different teams, and then tapping into their processes and methods, will give IT teams the right perspective into how to secure them.
Understand business patterns: the most effective way to understand security risk is to have an automated way to detect behavioral anomalies within workloads and processes. IT teams should develop a scenario of regular business and data patterns and establish them as baselines. They need to also meet with department leaders to gain an understanding of concern areas or vulnerability areas where behavioral anomalies tend to occur. These can be accounted for when building processes, and will lead to better visibility into what is considered as acceptable and unacceptable behavior.
Automate processes: in the course of business transformation efforts, college IT departments should seek ways to give departmental managers flexibility and ownership of their processes. In doing so, they should establish policies that encourage repeatability and automation. Processes should emphasize self-service wherever possible, and facilitate straight-through processing of standard requests and account provisioning.
Integrate tools with processes for better outcomes: colleges have already invested a great deal in their technology stack. It’s imperative that IT teams understand the tools, data, and communication channels that are used across all technology efforts, and then recognize where security vulnerabilities could happen within each of them. Reducing overall ‘application spaghetti’ is an excellent first step toward consistency of process. This can start by collecting the security protocols required of each system, and then finding a way to apply them appropriately to the processes they touch, or whether the systems themselves should be eliminated altogether in favor of a self-build low-code application.
Implementing a security approach to higher education management does not happen overnight. IT teams have to be thoughtful about what they want to achieve, and operate with awareness of stakeholder needs and the intricacies of the technology stack. Additionally, while digital transformation efforts to move workloads into the cloud and use BYOD policies are delivering greater flexibility, they are also opening new threat vectors. With a process-focused approach, colleges and universities can improve their security posture and help to ensure the safety of critical data.