Higher Education Desperately Needs a Cybersecurity Wake-Up Call

The Higher Education Trifecta Construct

credit: thewritingcampus.com



Beware faculty: The Hacker Mindset will prevail every time


Biggest Cybersecurity Threats Facing Higher Education

Credit: thecybersecurityplace.com
  • Phishing Emails can result in financial loss or identity theft.

“Phishing remains the number one [security] threat to most companies,” says Quinn Shamblin, the Chief Information Security Officer for Eden Prairie, Minn.-based Optum Technology.

  • Data breaches resulting in the loss of tens of thousands of Personally Identifiable Information (PII), Personal Health Information (PHI), and/or financial records belonging to students (and their parents who pay the tuition), alumni, staff, donors, and faculty. Universities are data factories with fresh students enrolling annually and the information of graduated alumni never goes away, it’s just sitting there.
  • Ransomware or other malware infection due to unpatched software vulnerabilities (Read: total shutdown of IT infrastructure possibly for weeks, or longer) and your cyber insurance provider is likely going to push back against any substantial claim if you haven’t demonstrated adherence to a risk management framework. In other words, see you in court.
  • Business Email Compromise (BEC) can also result in financial theft such as direct deposit payroll diversion. This type of attack can be mitigated through employee security awareness training and strict Human Resources policies that serve to verify the authenticity of employee financial requests.

Self-Imposed Challenges Impeding Success

  • No adherence to a formal risk management framework that addresses compliance laws such as the Federal Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the European Union (EU) General Data Protection Regulation (GDPR), the Gramm-Leach-Bliley Act (GLBA), and industry standards such as the Payment Card Industry Data Security Standards (PCI DSS).
So many framework options to choose from; credit: TechTarget
  • Little or no accountability from auditors/regulators on universities’ adherence to compliance standards and cybersecurity risk framework best practices though there are positive signs this is changing.
  • Virtually all universities have some measure of security policies and standards in place, but they are inconsistent, lack buy-in from top leadership, and are often not enforced altogether.
  • The Chief Information Security Officer (CISO) or Information Security Officer (ISO) is not given the authority and accesses needed from senior university leadership and the Board of Trustees to implement impactful, and often, desperately needed, information security controls throughout the entire university. The CISO/ISO cannot report to the CIO without direct conflict of interest, as the CIO may not be inclined to pay heed to the CISO/ISO advice or instead, may choose to delay implementation over the course of years instead of weeks or months putting the university at risk of undue exposure. The CISO/ISO should report directly to the President (CEO equivalent) of the university or to the Board of Trustees for funding initiatives and security strategy implementation. It is, of course, beneficial and important for the CIO and the CISO/ISO to communicate regularly and coordinate efforts for the Enterprise, but there should always be a clear delineation of responsibilities, permissions, and reporting. The CISO/ISO is every bit a C-Suite member as the CIO is. These are two distinct yet interrelated functions.
  • The budget for cybersecurity is either non-existent or too little, to begin with, which leads right into the next very important self-imposed issue…
  • Expecting a single cybersecurity professional (we’ll call him/her a “Lone Cyber Ranger”) to perform the entire gamut of cybersecurity defense for the entire Enterprise-level organization to include security awareness education; security incident event monitoring; digital forensics and incident response (DFIR); responding to and blocking phishing/spoofing/spam emails sent to concerned students, faculty, and staff members; writing and staffing security policies; scanning system for missing software patch updates; coordinating emergent data privacy initiatives; and ensuring the university is compliant with all applicable governances are just some of the tasks a university cybersecurity professional is required to perform. This is far too much for any one person to be expected to do on their own, much less do them all well which is what is required to prevent serious network intrusions that could potentially be very costly for a university. This “Let’s just pay to staff one cybersecurity professional” for the entire university mentality is common among many smaller universities around the nation and is justified by the excuse that there just isn’t enough money to go around. Don’t buy that garbage, it is false. The money is there to hire secondary and tertiary cybersecurity roles, desperately needed software/hardware products, but it just hasn’t been deemed important enough to be budgeted for and allocated by the Board of Trustees or the CIO because they haven’t suffered a massive data breach yet that has cost the university millions to recover from. Apparently, universities also seem to be unfamiliar with job burnout which is exactly what happens to lone cyber rangers after a given time of constant stress. Mental health issues can become a major escalating factor for InfoSec professionals, as with any profession, if stress is not properly managed.
  • Outsourcing security functions to a Managed Security Services Provider (MSSP) is an option some universities choose. It is understandable that institutions might want to outsource their security problems to Cloud-Service Providers (C-SP). “Hey, it’s on them, right?” Wrong, the university is still responsible for the data as the owner of that data. But let me ask you something, who is keeping tabs on what is being reported back to the university? Is anyone from the university even reviewing system event logs or is it just a check-in-the-block compliance event that isn’t been done? Is there even a Service Level Agreement (SLA) in place that defines security parameters that are signed by both the university and the third-party vendor(s)? Oftentimes, there isn’t which is quite risky if something were to occur. I suspect it would just degenerate into a finger-pointing match.
  • Intellectual Property (IP) theft by other nations such as China is a problem at U.S. universities because too often they architect their networks in a wide-open Campus Area Network (CAN) whereby anyone can sit down at a computer and use it without ever needing system logon credentials. Anyone can just plug a USB device into any open USB port to install malware like keyloggers or to steal files. There is nothing preventing this aside from perhaps anti-virus software if it has this option and only if it is properly configured across the entire domain. Chances are, it isn’t. What protections are in place to prevent this? Is Data Loss Prevention (DLP) even being addressed at all? Hint: It definitely should be.
  • Making Two-Factor Authentication (2FA) “opt-in” is a terrible idea. Explain the need to senior university leadership, set a “Go Live” date, notify and train the masses of employees (to include stubborn faculty) and students, and then require 2FA for all university application access. This is doubly important if said university has an extremely weak minimum character password policy such as an 8-character minimum password length that can be cracked in less than 3 hours nowadays. You’d think implementing 2FA across campus would be a tedious but relatively simple process. However, it is anything but that in my experience.





the salty chronicles of one bumbling infosec engineer’s lifelong quest to design less shitty privacy & security while trying his best not to blow up the planet

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Beginning

Are Barriers to Higher Education a Result of Systemic Inequality and How Do We Stop It?

The Education Clutter: TMC

Honoring Military Spouses Through Teacher Pathways | RealClearDefense

7 Tips for Your First Half Day Yoga Workshop

Some Reflections of a Liberal Arts Graduate

Digital Identity The Philosophy of “Openness” on the Web

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


the salty chronicles of one bumbling infosec engineer’s lifelong quest to design less shitty privacy & security while trying his best not to blow up the planet

More from Medium

Digital Forensics Investigator: A Road Few Have Traveled

23 DIY privacy and security settings for your Windows

A call to action: it’s time for DAOscord

Article of the Day: The Growing Business of Offensive Hacking