Cybersecurity in Higher Education
Information security risks plague every sector, and higher education is no exception. According to a recent report [1], 87% of universities have experienced a cybercrime incident.
Attackers who target higher education organizations are typically looking for personal information, financial information, research data, and intellectual property owned by the university, it’s partners or sponsors. This data is attractive to organized criminals, nation-state actors and hacktivists.
Cybersecurity: A Balancing Act for Higher Education
Some universities have a knee-jerk reaction to a cybersecurity incident. They add more security controls and tighten access to their resources as their IT security team becomes more paranoid. This happened at UCLA [2] following a major cybersecurity incident; the IT security team began to monitor faculty and student internet activity without consent which, quite rightly, caused huge backlash.
This illustrates the point that cybersecurity can be a balancing act between security measures taken to reduce threats, the user’s right to privacy, and the general usability of the solution. IT security teams have often found it difficult to get this balance right in an academic setting.
Higher education in the United States prides itself on academic freedom. The faculty, students, and researchers at higher education institutions rely on that openness (and open networks) to engage in their work without administrators restricting access to specific types of information they need to use in their studies and research.
But somehow, this academic freedom has become confused with the freedom to use the internet and the organization’s computing resources as they want to. These computing resources are essential to how scholars conduct their research. The problem that they are banging into is a hostile external environment full of cyber threats that forces campus IT security teams to walk a fine line when implementing cybersecurity measures.
Cybersecurity On-Campus Is Unique
Cybersecurity in higher education is different than it is in corporate environments. Businesses find it easier to get employees on board in protecting their confidential information and intellectual property. Employees are more likely to adhere to strict access control policies and cybersecurity controls around their work.
But on campus, the free flow of information between researchers, students, faculty, and their wider community is a big part of why academic communities flourish. However, these academic ideals bring them directly into conflict with cybersecurity policies and a hostile threat landscape. It has caused headaches for IT security teams trying to create a balance between security and an open environment.
The job of campus IT teams is to help the organization’s participants go about their work securely and effectively, but in both research and teaching, productivity needs to be balanced with strong security requirements.
Compromise and education are appropriate in this case. In return for some cybersecurity education designed to make the user safer, the IT security team can work out their acceptable risk levels when assembling policies for the user. In academia, IT security teams need to consider input from their researchers, students, and the faculty but not let it influence the school’s cybersecurity posture.
There will always be admin teams and members of the faculty who need access to specific IT resources to carry out their work. Where a course instructor who teaches information technology may need administrative access to their machine, a member of the admin team working on clerical duties probably does not. When campus cybersecurity policies accommodate a specific user’s needs, they avoid users going rogue and embracing shadow IT solutions.
Higher education cybersecurity teams need to listen to their users and establish a relationship built on trust and transparency.
Cybersecurity Strategies for Higher Education Institutions
In an environment where academic users push back against strict security controls, security monitoring and event logging are the IT security team’s best friend. For users, this means that everything they do on the organization's computers will be recorded and tracked, but this can be done unobtrusively, and if the users consent, there are no privacy issues.
Because universities need to be flexible in the way they approach cybersecurity, closely watching for cybersecurity incidents and being able to quickly respond to them is essential. The faster an issue is detected and remediated before it can become a problem, the better.
Academics could feel uncomfortable with comprehensive security logging and monitoring, but with some careful training and education, the perception of Big Brother watching over them is limited. Education is important to teach users that security monitoring is not spying. If the campus IT security team tries to take on cybersecurity themselves without the cooperation of users, they will likely fail. The challenges of protecting an organization are far too big for a small group to deal with. To further compound matters, users without any cyber awareness or education can become the victim of phishing or social engineering attacks against the university.
It is far better to make the effort to educate users about how best they can protect themselves and the university or college at the same time. All of this contributes to users being able to protect themselves and a lighter load on the security team.
The End-User Perspective
Ultimately, academic users need to be reasonable in their position to campus cybersecurity. If they don’t need full privileges on a system or access to every resource, they need to make that clear. Unnecessary access makes it difficult for the IT security team to do their jobs because it exposes the organization to an unacceptable level of risk and vulnerability.
That isn’t to say that academics should give up all of their rights. Research staff and faculty should be proactive in the way they communicate with the IT security team. If they need a private WiFi router in their office, they need to let the IT security team know so that they can maintain oversight. Lots of cybersecurity incidents begin with a lack of visibility over the infrastructure and it is the responsibility of the user to make them aware of any activity that could jeopardize security.
Responsible users take cybersecurity into their own hands and realize that they are in control of the security of the systems they use. This is important because users can often be the weakest link in a security system. Users should demand training and education materials that help raise cyber awareness and learn how to defend against common cybersecurity threats.
After all, most phishing attacks can be thwarted by savvy users spotting and reporting them, just because they have been trained to.
It doesn’t matter if you are a member of the IT security team or an end user, the collective mission is to make security usable and unobtrusive, ensuring that peers understand the need for security measures in the first place. Collectively it is everyone’s responsibility to balance academic freedom and cybersecurity.
Contact Digital Hands
Have more questions about cybersecurity in higher education? Digital Hands employs a deeply experienced team of cybersecurity professionals with the answers you’re looking for.
If you or your partners need a competent security services provider to ensure that you are making the right moves with your cybersecurity, get in touch with Digital Hands by calling (855) 511-5114 today.
About Digital Hands: Recently ranked as one of the Top MSSPs in 2020, Digital Hands is a trusted global cybersecurity leader continuously taking action to protect our customers’ most valuable assets against relentless threats.
Digital Hands is proud to offer extensive security expertise and advanced monitoring and reporting capabilities. Our robust set of innovative cybersecurity services and solutions ensures your organization, customers and employees are defended against cybersecurity attacks and data breaches round the clock.
We are proactive in our response orchestration that includes in-depth analysis and business context. Digital Hands enables our customers to harden their security posture, outmatch bad actors and benefit from our complementary white glove service and excellence in delivery. Our industry – leading customer retention rate and Net Promoter Score of 94 reflects how we go above and beyond every day for our customers.
References:
2) https://www.nytimes.com/2016/02/02/technology/at-uc-berkeley-a-new-digital-privacy-protest.html