Higher Education Desperately Needs a Cybersecurity Wake-Up Call
*Note: This article was originally published by the author on July 18, 2019.
It is commonly said that in Higher Education (a.k.a., Higher Ed) and education (K-12) in general, change occurs at a glacial pace. From the outside looking in one might think that this statement implies that change happens very slowly due to an abundance of critical thought and deliberation prior to deciding what actions should be taken before they are made. A deliberate planning process, if you will, seems entirely appropriate given normal circumstances. When it comes to technology and cyber threats, however, this glacial change pace represents a very lucrative target for cybercriminals looking to take advantage of extremely low-hanging fruit. To understand the challenges involved with cybersecurity and Higher Ed, one must first gain an understanding and appreciation for university hierarchy and organization structure.
The Higher Education Trifecta Construct
Three core population groups exist within the Higher Ed construct which consist of students, faculty, and administration/staff. There are other important groups such as the Board of Trustees, donors, and alumni, but generally speaking, the core groups of the typical university hierarchy are the students, faculty, and administration/staff. The specific architecture of a given university depends on whether it is a private or public school. Each of these three groups has a unique but dependent relationship with technology and cybersecurity.
First and foremost, it is important to note that without the student population paying higher-than-ever tuition and other “miscellaneous” fees, the faculty, administrators, and staff would not have jobs. Period. Students are the lifeblood and backbone of any university, period. Ironically, however, students have the least say in how the institution operates or what technology they have to learn with. This is due somewhat in part to their immaturity (i.e., age, life experience, education, etc.), but mostly their plight is due to how the American education system is constructed, which is similar to other Western countries. Only by refusing to attend universities that do not put student interests first can students ever hope to reverse this imbalance.
Students are beginning to wake up to the realization that college is not necessarily worth incurring potentially decades’ worth of student debt loan repayments while trying to enter the workforce and start their independent professional lives and create their own families. Going to college has for the longest time been a wise investment in a person’s future career earning potential but that is beginning to change with ever-increasing tuition costs and employers willing to fast-track high school graduates into the workforce through trade schools and boot camp certification courses. College education has long been unaffordable for many low-income and even middle-class families to send their children to. Very few students get a full-ride scholarship. If it weren’t for federal student aid and no-interest student loans, one has to wonder what shape America’s workforce would be in. The baby boomer generation is retiring and dying off in droves.
Complicating matters further is the fact that universities are struggling with protecting student private information as recent news reports have revealed time and again with data breach after breach. How would you like to start your new career with a severe case of stolen identity and massive credit card fraud on top of owing tens of thousands in student loans? No? I didn’t think so…
Millennials are paying top dollar to attend a university and learn in an environment in which the technology provided for them to learn on/about hasn’t kept pace with current technologies that they are likely to face in the workforce. Additionally, oftentimes the students are substantially more technologically savvy than the faculty teaching them because some faculty cannot be bothered to keep up with current technology trends let alone cybersecurity to secure these technologies. The IT infrastructure is likely not hardened or even regularly patched against published vulnerabilities that elsewhere is a common cybersecurity best practice and universities might allocate the necessary funds to purchase a technology-refresh of new computers, Audio/Visual (AV), and other IT equipment every 5-years or more due to budget shortfalls which strangely never seem to affect annual raises for administrators, faculty, and staff…
Holy cow! I am not even sure where to begin? This is a group of highly educated people that I both look up to and sometimes despise at the same time. Some are good, a lot of them are rotten, though. Decide for yourself. The one group you might expect would have the least issues with technology and cybersecurity due to their advanced education tends to be the biggest challenge for Higher Ed cybersecurity professionals. Professors like to think that they are the real money-makers at universities, feeling that they have in some measure positively contributed to the prestige of their university which most assuredly is technically accurate in a broader sense. However, make no mistake about it that it is actually the students who have to beg, borrow, and bust their tails for a better future, many of them having to work part-time to pay their way through college, that keeps the lights on at colleges. After all, it’s not as if students are researching which specific professors are teaching a given course at a given university and submitting their desired college applications based on that research. While that may be true at the graduate and doctoral program level, there’s absolutely zero chance that is happening at the bachelor’s degree level.
That being said, some universities are considered more prestigious than others, such as Ivy League schools like Harvard, Brown, Cornell, Princeton, and Yale. Students and their families pay a tremendous amount more for that “prestige,” but will that guarantee a high-paying job after graduation? No, it doesn’t. Nothing is guaranteed in life, remember that! And as for how well student personal and financial information is being protected even at an Ivy League school or whether faculty could care less about such trivial matters is another question altogether. Exactly how much of those tuition costs and technology fees are being spent on cybersecurity? That is the real question for which there is scarce data to support, most likely because universities don’t want parents and students to know how little is being spent on protecting their information. Universities commonly require parent tax returns for students who request financial aid. Where is that data being stored? How is it being protected? While this has little to do with faculty, it is still a concern that is not outright addressed by many universities. The transparency with cybersecurity is lacking.
Furthermore, faculty are notorious for demanding that they be granted Local Administrator rights on computer systems and refuse to attend privileged user training or even sign a document that outlines the rules they must abide by while having these elevated permissions. At the institution I worked at, it was evident that most faculty simply did not understand the risks involved and since many refuse to receive training on security awareness it is a struggle for cybersecurity professionals to try to reach this population group. What’s worse is that they want a vote on anything technology-related, so they can just say “No!” to any and all change that even though it would make everyone’s personal information safer would somehow make their job as a professor more difficult. Don’t get me wrong, it’s important that faculty have a say in how technology is implemented. However, allowing faculty to have a say in cybersecurity policy approval is a gross overreach and some faculty will use it as an opportunity to reject any change at all. It is always about convenience over security with this group.
Some faculty are also incredibly rude, childish, and demonstrate ill-tempered rejection of the very notion that they should be required to undergo any type of mandatory training on the topic of privileged user or cybersecurity. I can’t think of too many places outside of Academia where employers would stand for this type of behavior. Additionally, many faculty refuse to even recognize the importance of cybersecurity training, be it mandatory or not, online or in-person. They simply cannot be bothered with it unless it is written into their contract. They consider it unnecessary and will find any excuse to exempt themselves from it. Ironically, however, it is these same individuals who cry foul when they are duped by phishing emails or can’t figure out why they got locked out of their email account.
Many faculty I encountered were also unsupportive of simple security control enhancements that were in some cases long overdue at their respective institutions of higher learning such as moving away from a weak number of minimum password characters (let’s say 8-characters for argument sake) to a stronger password entropy that is required to be changed less frequently or the implementation of Two-Factor Authentication (2FA). Despite explanations as to the importance of 2FA, it comes down to convenience nearly every time. “You’re making our jobs more difficult with all of this added security!” “We can’t do our jobs!”
Many faculty also like to think they are special class citizens and deem themselves as not required to sign standard confidentiality agreement forms or an Appropriate Use Policy (AUP) for university IT systems as every other type of employee is required to do. The fact that university leadership allows this to happen is baffling. It is a wonder that staff at universities across the nation haven’t risen up and demanded fair and equal treatment that they are not currently getting when compared to faculty. In fact, the last time I checked, receiving a paycheck from an employer makes you an employee of an organization that is governed by its corporate or organizational policies and directives. Should faculty not be treated the same as any other employee when it comes to following cybersecurity best practices or a requirement to sign confidentiality agreements and AUPs at a university regardless of tenure status?
If your answer is yes, they should be treated differently then let me assure you that cybercriminals don’t care about your institutions’ security policies or lack thereof. They don’t care if Sally received training and John didn’t because he’s faculty and doesn’t have time (or want) to complete training. The phishing email is going to both individuals, which one stands a better chance at doing the right thing? Faculty tenure is abused in this way by some faculty who refuse to cooperate with any administrative policies they don’t like, let alone practical cybersecurity best practices and initiatives. There aren’t too many jobs that I can think of where employees are allowed to refuse to cooperate with institutional policies that are designed for the greater good of all and yet they still get to keep their job. This is nothing new though, professors have been demanding special treatment in the name of academic freedom for years. When does academic freedom and special treatment become too much of a liability for an academic institution though? Is there a line that can’t be crossed? Thus far, it has yet to be recognized.
A faculty member’s tenure status should never exempt them from having to follow established security protocols and they should not get a say in how cybersecurity controls are implemented unless it somehow impacts their ability to instruct, which by the way, most often it would not. Of course, input from faculty should be welcomed and respected by IT staff facilitating and protecting university technologies, but there is a distinct delineation of responsibilities and authority that should be respected. Though some faculty are technically competent and may well, in fact, be experts in their respective fields of study, they are not the professionals being held accountable for achieving compliance for the entire university to mandatory governances. Faculty also tend to think selfishly about their own programs, putting the needs and desires of themselves and their departments or colleges before others. Some faculty members, especially those with tenure, think they are untouchable and act in a despicable manner. Their actions caused them to be labeled as vile and toxic by much of the staff, administration, and even other faculty! The university I worked for had several of these reprehensible creatures. They were flat-out ignored and avoided.
This unfair impunity breeds a toxic working environment for everyone and can lead to federal Title IX complaints. Unfair in that administrators and staff do not share tenure status protections. Could you imagine if that were the case though? It is a corrupt system designed to protect one group of employees more so than others just so faculty can feel safe in knowing they have job security which allows them to concentrate on educating and research. Great! But what about everyone else? What happens when faculty become toxic and obnoxious? It is not a pretty sight, I’ve witnessed it first hand. Some faculty will object to even the most basic cybersecurity initiatives on pure principle. No change whatsoever unless they agree to it! They insist on telling staff how best to perform their jobs but were staff, administration, or students to go into a faculty member’s classroom and tell a professor how to do their job it would be an egregious violation of academic freedom and considered totally disrespectful to all teachers everywhere. High treason I say!
It is unfortunate that some faculty see cybersecurity as a threat to their livelihood or academic freedom because technology when it is satisfactorily protected, can aid in their research, curriculum, and instruction. Unfortunately professors, yes, some websites do need to be blocked because they are known to host malware. Sorry, not sorry! It’s just common sense and if faculty can’t understand or accept that then perhaps it is time for them to go ahead and retire. The entire university should not be put at risk so that a handful of professors can visit unsafe websites in the name of “academic research.”
I think we know what type of “research” we’re all talking about… Guess who sees the firewall traffic logs? These same faculty members want a say in technology matters to include cybersecurity initiatives and security policies despite the fact that most faculty take every Summer off from teaching or even multi-year sabbaticals and cannot be bothered to answer work emails, much less attend a meeting. I mean come on, it’s their ~2.5 months of vacation, after all, which sounds terrific doesn’t it? But hey, they probably know better than we non-faculty, average folk do, right? Last I checked I didn’t have a Ph.D., so I guess that I am probably wrong about well…everything, I am certain. Faculty is definitely my least favorite group within the trifecta and can be a threat to any university’s cybersecurity posture.
The administration and its staff are the unsung heroes of the Higher Ed machine construct. It is a machine, after all, it cranks out diplomas on a regular cadence. If that ever stopped, the Ivory Towers of Academia would come crashing down. One might be inclined to think that the author just has an ax to grind with faculty, but that would be an incorrect assertion. I’ve completed a graduate program. I’ve worked on university staff, albeit only briefly. And I’ve also been an instructor (i.e., though not at the collegiate level) and have trained faculty in security awareness training. Not all faculty are jaded and childish, some are actually top-notch very inspiring teachers. Those are few and far between in my experience though.
This is not to say that university staff is all angels, but rather the quiet professionals who come to work day in and day out to do what is too often a thankless job and who keep the wheels of progress turning in a forward direction. Faculty aid in this process as well to be sure by teaching students, don’t get me wrong. Staff is the tired professionals who put in long workdays (i.e., as professors do, too) to help students with financial aid, personal counseling, academic advising, and all the behind-the-scenes work. However, one area they differ in is that staff are the technically proficient subject matter experts who actually make the systems, technology, and everything else that it takes to operate a university work together in ‘seamless harmony’ so that students and faculty alike can use technology how, when, and where they need it.
Unfortunately, the university’s staff is also the core group of professionals that gets shit on the most by tenured faculty, who with their massive egos think that they operate with impunity while demanding a say in every policy decision for the university. I’ve worked as a staff member serving in a cybersecurity professional capacity and have been on the receiving end of more than my fair share of rude and disrespectful conversations with faculty members who should know better than to treat other colleagues unprofessionally.
Sadly, however, some elitist faculty members do not even consider university staff to be colleagues commensurate with their educational accomplishments. If it weren’t sadly true in my personal experiences, it would almost be laughable. How different life would be if we did nothing else but go to school and teach our entire lives, right? Imagine the things you could accomplish… As the saying goes, “Those who can’t do, teach.” That isn’t to say that some professors haven’t experienced real-life (non-academic) working in private industry or civil service, but I have encountered some who have never worked outside of Academia and many detest the idea of serving in the nation’s Armed Forces, something I am proud to say I did. I guess we’re all just “baby killers” in their eyes. The administration and staff are the strong support pillars of the university.
Now that you have some semblance of how the university hierarchy is constructed, let’s take a look at some of the biggest cyber threats academic institutions face.
Biggest Cybersecurity Threats Facing Higher Education
Research sponsored by IBM Security found that in 2017 there were a whopping 101 confirmed data disclosures at U.S. universities, which is a slight increase of 15 from 2014 indicating the cyber threat remains constant. It should also be noted, however, that since data breaches are often not disclosed for fear of legal retaliation and economic backlash, the number is likely even higher.
- Phishing Emails can result in financial loss or identity theft.
“Phishing remains the number one [security] threat to most companies,” says Quinn Shamblin, the Chief Information Security Officer for Eden Prairie, Minn.-based Optum Technology.
- Data breaches resulting in the loss of tens of thousands of Personally Identifiable Information (PII), Personal Health Information (PHI), and/or financial records belonging to students (and their parents who pay the tuition), alumni, staff, donors, and faculty. Universities are data factories with fresh students enrolling annually and the information of graduated alumni never goes away, it’s just sitting there.
- Ransomware or other malware infection due to unpatched software vulnerabilities (Read: total shutdown of IT infrastructure possibly for weeks, or longer) and your cyber insurance provider is likely going to push back against any substantial claim if you haven’t demonstrated adherence to a risk management framework. In other words, see you in court.
Syracuse, other schools, easy prey for ransomware
SYRACUSE, NY - Cyber attacks like the one that crippled the Syracuse City School District's computer system last week…
- Business Email Compromise (BEC) can also result in financial theft such as direct deposit payroll diversion. This type of attack can be mitigated through employee security awareness training and strict Human Resources policies that serve to verify the authenticity of employee financial requests.
Self-Imposed Challenges Impeding Success
Admittedly, my professional stint in Higher Ed was a short duration. I chose instead to cut my losses and pursue work in an industry that values cybersecurity and respects cybersecurity practitioners instead of being relegated to the cybersecurity guy no one listens to. However, in my short tenure, I did participate as a member of the REN-ISAC community which includes many very talented security professionals who are doing awesome things to protect their institutions. I gathered that despite having talented and skilled security professionals at these academic institutions, there are some common issues that put Higher Ed institutions at undue risk:
- No adherence to a formal risk management framework that addresses compliance laws such as the Federal Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the European Union (EU) General Data Protection Regulation (GDPR), the Gramm-Leach-Bliley Act (GLBA), and industry standards such as the Payment Card Industry Data Security Standards (PCI DSS).
- Little or no accountability from auditors/regulators on universities’ adherence to compliance standards and cybersecurity risk framework best practices though there are positive signs this is changing.
- Virtually all universities have some measure of security policies and standards in place, but they are inconsistent, lack buy-in from top leadership, and are often not enforced altogether.
- The Chief Information Security Officer (CISO) or Information Security Officer (ISO) is not given the authority and accesses needed from senior university leadership and the Board of Trustees to implement impactful, and often, desperately needed, information security controls throughout the entire university. The CISO/ISO cannot report to the CIO without direct conflict of interest, as the CIO may not be inclined to pay heed to the CISO/ISO advice or instead, may choose to delay implementation over the course of years instead of weeks or months putting the university at risk of undue exposure. The CISO/ISO should report directly to the President (CEO equivalent) of the university or to the Board of Trustees for funding initiatives and security strategy implementation. It is, of course, beneficial and important for the CIO and the CISO/ISO to communicate regularly and coordinate efforts for the Enterprise, but there should always be a clear delineation of responsibilities, permissions, and reporting. The CISO/ISO is every bit a C-Suite member as the CIO is. These are two distinct yet interrelated functions.
- The budget for cybersecurity is either non-existent or too little, to begin with, which leads right into the next very important self-imposed issue…
- Expecting a single cybersecurity professional (we’ll call him/her a “Lone Cyber Ranger”) to perform the entire gamut of cybersecurity defense for the entire Enterprise-level organization to include security awareness education; security incident event monitoring; digital forensics and incident response (DFIR); responding to and blocking phishing/spoofing/spam emails sent to concerned students, faculty, and staff members; writing and staffing security policies; scanning system for missing software patch updates; coordinating emergent data privacy initiatives; and ensuring the university is compliant with all applicable governances are just some of the tasks a university cybersecurity professional is required to perform. This is far too much for any one person to be expected to do on their own, much less do them all well which is what is required to prevent serious network intrusions that could potentially be very costly for a university. This “Let’s just pay to staff one cybersecurity professional” for the entire university mentality is common among many smaller universities around the nation and is justified by the excuse that there just isn’t enough money to go around. Don’t buy that garbage, it is false. The money is there to hire secondary and tertiary cybersecurity roles, desperately needed software/hardware products, but it just hasn’t been deemed important enough to be budgeted for and allocated by the Board of Trustees or the CIO because they haven’t suffered a massive data breach yet that has cost the university millions to recover from. Apparently, universities also seem to be unfamiliar with job burnout which is exactly what happens to lone cyber rangers after a given time of constant stress. Mental health issues can become a major escalating factor for InfoSec professionals, as with any profession, if stress is not properly managed.
- Outsourcing security functions to a Managed Security Services Provider (MSSP) is an option some universities choose. It is understandable that institutions might want to outsource their security problems to Cloud-Service Providers (C-SP). “Hey, it’s on them, right?” Wrong, the university is still responsible for the data as the owner of that data. But let me ask you something, who is keeping tabs on what is being reported back to the university? Is anyone from the university even reviewing system event logs or is it just a check-in-the-block compliance event that isn’t been done? Is there even a Service Level Agreement (SLA) in place that defines security parameters that are signed by both the university and the third-party vendor(s)? Oftentimes, there isn’t which is quite risky if something were to occur. I suspect it would just degenerate into a finger-pointing match.
- Intellectual Property (IP) theft by other nations such as China is a problem at U.S. universities because too often they architect their networks in a wide-open Campus Area Network (CAN) whereby anyone can sit down at a computer and use it without ever needing system logon credentials. Anyone can just plug a USB device into any open USB port to install malware like keyloggers or to steal files. There is nothing preventing this aside from perhaps anti-virus software if it has this option and only if it is properly configured across the entire domain. Chances are, it isn’t. What protections are in place to prevent this? Is Data Loss Prevention (DLP) even being addressed at all? Hint: It definitely should be.
- Making Two-Factor Authentication (2FA) “opt-in” is a terrible idea. Explain the need to senior university leadership, set a “Go Live” date, notify and train the masses of employees (to include stubborn faculty) and students, and then require 2FA for all university application access. This is doubly important if said university has an extremely weak minimum character password policy such as an 8-character minimum password length that can be cracked in less than 3 hours nowadays. You’d think implementing 2FA across campus would be a tedious but relatively simple process. However, it is anything but that in my experience.
Now, obviously, this scathing assessment is not representative of every university and won’t win me any likeability points with university professors or my former employer’s university. I am not concerned with that though because I feel this needs to be said. “Damn the torpedoes!” And most definitely there are universities that are shining beacons of cybersecurity bastions and that are doing very well at securing their data on their own merits. I commend them for this accomplishment. However, one former Higher Ed cybersecurity professional’s personal opinion is that it is abundantly clear that Higher Ed needs a lot of improvement in terms of cybersecurity and I just don’t believe the attitudes encountered in Higher Ed are willing to do what it takes to move the progress needle forward until more pain is felt. This means students, faculty, staff/administration will have their data exposed unnecessarily.
Many industries aside from Higher Ed are struggling with cybersecurity, they are not alone. However, the difference in my assessment is that those other industries are moving more expeditiously and diligently to remedy the increasing cyber threats than Higher Education is. They are hiring qualified cybersecurity professionals, they are upgrading IT infrastructure, they are complying with cybersecurity standards and frameworks. Essentially, Higher Education finds itself in 2019, in a position where the pain experienced from ransomware and data breaches isn’t real enough for many universities to take steps to implement the necessary security controls and allocate an adequate slice of the university budget for adequate cybersecurity worker staffing levels. Because Higher Ed moves at such a glacial pace, however, it is safe to expect we’ll continue to see more data breaches and ransomware attacks that will cripple universities and K-12 school districts in the future. Many universities are fortunate they haven’t been victimized yet. Their days are numbered though, the clock is ticking and it is likely only a matter of time before that changes if swift action is not taken on their part to reverse course.
What can be done then? For starters, the entire education industry would do well to swiftly implement cybersecurity best practices like those found in the NIST CSF or CIS Top 20 which would be a good idea for them to adopt and adhere to, including Multi-Factor Authentication (MFA), timely software patching, 15+ character passphrase requirements that perhaps expire only annually unless there are indications of compromise, and staffing their organizations with more than one lonely cybersecurity professional. Do not fall for the hype, it is not a matter of funding. If universities want a new football stadium or respected athletic director, they’ll shake down donors and find the money somewhere if they want it badly enough. Many of the recommended best practices are very cheap to implement but there have to be qualified, experienced cybersecurity professionals on staff who are authorized with the appropriate domain permissions to perform these needed improvements. In the end, it is just a matter of Higher Education, as an industry, getting its priorities straight to be able to counter 21st-century cyber threats and this author’s opinion is that they still have a long, long way to go toward getting there.
This author’s Cybersecurity Score for Higher Education: Average-to-Poor (C-/D+)