Defining Cybersecurity Risk management for Higher Education

At a high level, educational institutions and other organizations have similar cybersecurity risk profiles, but there are a few very specific areas that differ. Intellectual property, research needs, end users, privacy, budget, and specific compliance regulations shift the landscape from “typical” enterprise security work to something that is far more varied in nature. Cybersecurity risk, in this case, is defined as any type of uncertainty that can cause damage, loss of value, or harm to the organization via computer systems, networks, and other digital devices. Discussions about risk can get a little fuzzy when we approach them from the wrong angle, but there is a very large academic and professional body of work covering exactly how to quantify, qualify, and talk about risk-related topics.

The risk landscape for education includes a couple of key features that are a little more prominent than in other organizations. Communication, management, and governance are fairly universal problem areas in security, but the specific geography of most educational institutions increases the “silos of excellence” factor within the IT and security functions. This often leads to issues with monitoring, network boundaries, and other technical risks because budgets and policies always affect security strategy. Data risks are also significant for education due to both the varied nature of the data on the networks and the (sometimes unrecognized) need for compliance with local, national, and international regulations.


Communication, management, and organization-based risks
Communication and governance around IT and information security are probably the biggest risk multipliers for most organizations, but they’re compounded by the organization of higher education institutions. The larger the school, the more likely it is that security policies, messaging, and even IT budgets aren’t being shared across departments, faculties, or the institution as a whole. This can lead to a lot of missed opportunities for threat and risk awareness, information sharing, and overall security improvement. Internal policies can often add to this, leaving the cybersecurity team working with siloed management and communication.

This type of situation is dangerous for both day-to-day operations and long-term security strategy. A lack of clear authority boundaries, trust, and communication can seriously affect any attempt at managing a campus-wide or institutional security program. To add to that, communication issues often mean that emerging threats, program risks, and even incidents go unreported for far longer than they should. Shadow IT departments can enhance institutional risks on campus by encouraging silos, and they often reduce the impact of any mitigation or response processes. Budget separation is also a contributor, leading to situations in which some institutions have per-department or per-faculty security teams with limited coordination, low communication, and slow response to incidents.

A key factor in combating this risk is visibility. If cybersecurity personnel aren’t able to communicate across the campus and get out in front of security issues, any other program improvements, policy changes, and enforcement or response efforts are going to be slowed. PWC estimates that 30% of the cybersecurity incidents that occur globally within their client base are caused by employees—either intentionally or accidentally. According to the 2019 Verizon DBIR, a significant portion of the breaches and incidents in educational organizations are based around malware and other threats that can often be reduced by uniform policies. Ideally, every cybersecurity team needs someone to be the advocate, speaker, and front-person for the policy effort. This is as critical a role as any other on the team and often blends well with training and awareness, and incident response efforts.

Technical risks
Budget and authority limitations, as well as questions of ownership, are difficult to solve but are major drivers for security program gaps and major risks. Vulnerability management programs are an excellent example of this and a good area to start pushing for organizational change and improvement. It’s clear that vulnerability management programs are necessary on even the smallest networks due to the consistent exploitation of even the oldest threats. Rapid7’s Under the Hoodie reports consistently show that the majority of the vulnerabilities our penetration testers exploit are decades old; most of these can be mitigated or completely eradicated through solid vulnerability and patch management.

While vulnerability management might be a pain point for most, it’s part of a set of higher risks for educational institutions due to the overall IT footprint and the ability to monitor endpoints and networks. Network segmentation, inventory, and monitoring are all crucial to cybersecurity and information security risk reduction—so much so that the Center for Internet Security, NIST, and other standards organizations put them on top of their critical control lists.

Knowing what’s going on inside the network rather than just at its boundaries is the key to reducing risk. Patching, inventory control, and vulnerability management all link together to help lower the risk presented by old, uncontrolled, or just plain dangerous systems. This is another area in which education and research institutions differ from typical enterprises: there’s more old, risky equipment on the networks. The estimated 55% market share of systems running legacy versions of Windows applies to educational networks and research institutions as much as it does to other enterprises that rely on embedded or specialty systems. Due to budget and research needs, it may be hard to get rid of that million-dollar high-speed chromatography device that still runs Windows XP, but that doesn’t mean it should just sit there waiting to get attacked. An additional bonus to vulnerability management and inventory controls is that they allow the IT and budget folks to get a handle on what is where, who owns it, and, to a lesser extent, how it’s funded. This can be really helpful in defining everything from security groups and access control lists to annual departmental budgets.

Placing controls around the critical devices to limit the risks from attackers, unauthorized users, accidents, and malware requires both the knowledge that the system exists and the ability to monitor it. Centralized monitoring and configuration tools such as SCCM, ServiceNow, and other services (such as vulnerability management, software management, Active Directory, antivirus, and endpoint protection suites) are really useful for this, but stepping beyond that to a security orchestration and automation (SOAR) solution is ideal. With a SOAR tool, you can feed all of the ownership, service, and system data into a single aggregator and automate the easy stuff so that the security team can focus on incident response, strategy, and improvement instead of managing tools and low-level operations. Having a single source or service for this information definitely requires work, but it’s a significant advantage once the tools are correctly set up.

Data risks
At the network and VLAN edges, monitoring is critical for the obvious stuff, such as malware activity, vulnerability exploitation, and lateral movement. It also has a positive impact on data loss and intellectual property risks. Large educational institutions are a little like ISPs in the sense that they have a massive and diverse user base. However, they’re different in that they are responsible for more than just client PII and they can apply policies that include data loss prevention and monitoring for unusual activity. Usually, this policy application can be done while balancing researchers, staff, and student needs for privacy and accommodation. Separating networks by activity and monitoring pattern helps reduce the risk of privacy invasion while still maintaining some sense of data safety. Microsoft has written a lot on using Active Directory and tools like User Rights Assignment to do just this.

Critical data is a lot like radioactive material—it’s important to know where it is, keep it safely contained, and dispose of it in a way that it can’t do any harm. Also, it’s often controlled by governmental and international regulations, and it’s not something most people should handle without training. Higher education often has massive amounts of data that present significant risks to students, staff, and the institution if exposed to the wrong party. Awareness training helps with this, as does solid policy (provided it’s clearly communicated and carefully enforced).

Training for data will improve security
Training should cover more than basic compliance, especially in areas where researchers or staff are handling data that can cause harm. The exposure risks from research data might vary heavily, but supporting ethics and review committees with training and technical security knowledge will act as a force multiplier for data safety in most places. The usual steps around ensuring the school’s data is inventoried and safe, and placing controls around who has access to what information, are all critical to ensuring data risks are reduced.

A little training never hurts—at a larger scale, awareness of basic cybersecurity hygiene should be a 100-level course for anyone (students or staff) on the network. According to the 2019 Verizon DBIR, social engineering attacks are the second biggest cause of breaches (32%). Credential sharing and other security hygiene problems are often part of this root cause. Services like KnowBe4 and other awareness testing processes can help with training, but they must be tailored for staff, students, and a transient user base. Augmenting training with the use of captive portals that carry out virus and vulnerability scanning on guest WiFi, passive awareness tools like signs and explainers, and ongoing education can all help improve overall higher education security and reduce risks in other areas, as well.

Conclusion
Data, IT, and cybersecurity risks for higher education institutions are elevated, but a focus on strong internal communication, governance, and centralized monitoring and management will help reduce them quickly and effectively. Data handling, policy development, vulnerability management, incident response, and asset management processes all benefit from stronger interdepartmental and inter-faculty communication and the reduction of silos across campus. The use of security orchestration and automation technology can simplify a lot of the centralized monitoring and management work, but the key to risk reduction is a combination of internal awareness, careful security management, and patience. For more information, here are some key takeaways for your organization:

Data handling can be significantly improved by better communication and training at the staff level, along with clear policies and guidelines.

The use of awareness campaigns surrounding safe data handling works to reduce risks.
Phishing training and other tools will help with staff, but they can’t reach everybody.
Mandatory employee training (for staff, faculty, etc.) is a good approach.
Support and assist any research councils and other committees as much as possible. It will build a stronger community and lead to better data safety.
Inventory control (and monitoring) is hard, but it’s the biggest force-multiplier for any security program and will save the institution time, money, and headaches.

Centralized control will help cut down on IT costs for the institution
Vulnerability management and config programs can help unify the security process, and should help reduce risks across the campus, but they won’t reach everything.
Network separation and containment for old technology, high-risk systems and the stuff that should just never connect to the internet needs to be a priority.
Vulnerability management, monitoring, and SOAR technologies will help with a lot of the technical controls, but make sure there are people to handle it all the way down to the faculty and service-desk level.
Good security requires steady, constant communication, silo-breaking, and patience, because all higher education institutions are just a microcosm of society. There’s definitely going to be conflict, but a lot of it is solvable.

Getting out in front of the security program and talking about the benefits is a good way to start.
Enabling staff, faculty and students will encourage communication
Improving communication cuts down on gaps, unprotected systems, and other risks.
Having a communicator or “front person” is critical for communication and advancement. This will often be someone who is good at doing training, awareness, and public-speaking work.
Previous
Next Post »