Cybersecurity in higher education is becoming an urgent focus area for college and university directors, administrators, and boards. Higher education institutions are facing cybersecurity incidents and breaches at an increasing frequency, and the nature of these attacks are varying significantly in sophistication, objective, and scope. At the end of March, the U.S. Department of Justice and the U.S. Department of the Treasury announced law enforcement efforts in response to Iranian state-sponsored cyber-attacks on hundreds of universities around the globe, including more than 100 U.S.-based institutions. In January, a successful spear-phishing attack at the University of Hawaii made the news; it resulted in a data breach impacting approximately 2,400 faculty, staff, students, and student applicants. Last summer, computer equipment theft at Washington State University resulted in the loss of personally identifiable information (PII) and protected health information (PHI) for approximately one million individuals. These are just some of the most recent publicly disclosed examples, and they underscore the broad spectrum of cybersecurity risk in higher education institutions.
In addition to the significant uptick in threat activity, there has also been a proliferation of cybersecurity and data protection regulations with which higher education institutions may need to comply, depending on the nature of each institution’s unique profile, including their academic and research activities. Organizations in the sector should evaluate how their operations are relevant to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; the protection of student data under Family Education Rights and Privacy Act (FERPA) regulations; the protection requirements of U.S. Federal Controlled Unclassified Information (CUI) as outlined under the National Institute of Standards and Technology (NIST) Special Publication 800-171 relevant to government information or contractors; and Payment Card Information Data Security Standard (PCI-DSS) requirements, among others.
The First Step is Cybersecurity Risk Assessment
To manage these cybersecurity threats, risks, and compliance challenges, each institution should start by conducting a thorough assessment and analysis of its current cybersecurity environment and posture, with a focus on understanding underlying drivers of cyber risk, what information they create and store is the most valuable, key threats, other risk considerations, and the regulatory and compliance landscape. This must be done with a holistic approach, acknowledging all dimensions of cybersecurity. Academic environments are rich with sensitive information, often including student records and other personally identifiable information, financial aid and/or transaction data, and healthcare information—as well as data related to cutting-edge, specialized research. Institutions may find themselves squarely in the crosshairs of malicious actors simply by being a potential source of this type of information. A “checklist” of cybersecurity best practices for higher education institutions or “one-size fits all” approach will not suffice, and really does not exist. Each institution will have unique data elements, technology footprints, processes, risks, and other attributes which need to be considered to develop an accurate portrait of the school’s cyber risk.
The Second Step: Planning an Evidence-Driven Risk Mitigation Plan
Once an independent and objective view of the institution’s current cybersecurity position is established, and the greatest risks identified, then each institution can move on to the second stage: thoughtfully planning a risk-prioritized approach to achieving its cybersecurity governance, risk mitigation, and compliance objectives. Many higher education institutions have highly decentralized information technology and/or security functions, which can make governance and control difficult. Adding to the cybersecurity in higher education challenge is the culture of open sharing of information and data that is commonly pervasive across institutions like these. Implementing strong cybersecurity controls can often pose a significant change management challenge in these conditions—but it is a necessity, and it cannot be done without the critical first step of understanding the institution’s unique compilation of risks. Use your biggest risks as a guide to help you design and adopt strong controls in spite of the many challenges present in an educational setting.
The Third Step: Implementation and Continuous Improvement
After these first two steps, it’s time to act. Implement reasonable but effective policies, standards, controls, tools, processes, and technologies. Leverage experienced internal and external cybersecurity resources when necessary to ensure technical solutions are configured properly and governance-related protocols are structured effectively. But even when you reach this point, the work isn’t done. Plans and strategies should be periodically reviewed and adjusted to keep up with the ever-changing cyber risk and compliance landscape. These steps can enable a holistic transformation of an institution’s cybersecurity program.
Higher education and research institutions are facing significant and increasing information security challenges and must act quickly. Threat actors won’t wait to attack while an organization figures out how to defend itself. The data protection regulations with which many of these organizations must comply are proliferating and being enforced without pause. While it’s tempting for anyone under these kinds of pressures to jump to tools and solutions, the first step—especially for financially careful colleges and universities—starts with the fundamentals. Identify the key risks, threats, and compliance drivers. Evaluate current capabilities versus target objectives. Strategize and plan for enhancement. Then implement and iterate. Building a culture of cybersecurity awareness requires a process for continuous improvement, because only with consistent effort can institutions stay a step ahead.