Cybersecurity in Higher Education – People, Process, and Associated Risks
Authored by Jacob Paullus
Information Technology and Information Security are some of the most important yet most complicated ecosystems to construct in a Higher Education environment. Between students, staff, and faculty, many of these institutions have a larger technological footprint than some of the largest companies in the world.
All universities share an incredibly diverse technological footprint due to several factors: bring-your-own-device policies, allowance of external emails, unfiltered internet usage, and many other ever-changing variables within the users and devices on the network. With the complicated nature of maintaining a university network, security gaps are likely to surface, and the impact of a network breach can be catastrophic.
Why is Security Important?
Universities must stay vigilant in their efforts to close security gaps and protect their stakeholders. Additionally, reducing the risk of a security breach is often mandated by compliance and regulatory standards. Higher Education Institutions store incredibly sensitive information, extending the typical PII into FERPA data. Additionally, many institutions conduct research, some of which requires the use and storage of medical data, which means that these networks house HIPAA-protected data.
The Human Element
As is often the case, the single biggest vulnerability within the Higher Education environment, is people. Students and faculty alike receive enormous amounts of external emails into their mailboxes, making them incredibly likely to be targeted by a phishing attack. Having tens of thousands of users means some will inevitably fall victim to phishing attempts, giving attackers a path into the network. This combined with most schools having a bring-your-own-device policy means many infected devices will potentially be brought onto the network. Additionally, with an ever-changing user base, especially one where a large portion of users are students rather than employees, implementing a consistent training program may be an incredibly difficult task.
A Disjointed Technological Landscape
Looking past the human element in cybersecurity, another major factor in education environments to note, is the variety in IT infrastructure and management. The computer science department may have different computers and procedures compared to the liberal arts department, who may in turn have different computers and procedures compared to the finance department. The differences may extend to completely different IT teams managing each of these departments. These inconsistencies in IT procedures can lead to differing patch cycles, non-uniform deployment of systems, outdated operating systems, and many more potential security gaps compared to an organization with a uniform environment.
Key Takeaways
We believe the focus of Higher Education institution’s IT and Security departments should be maintaining a consistent approach in implementing technical controls between the users and the rest of the network. Ensuring campus-wide patch management, network segmentation, and performing regular security audits are solid first steps to ensuring the safety of the network and the data housed within.
Javier is a principal within the Cybersecurity Services Group at CLA. Prior to joining CLA, Javier spent ten years supporting the Department of Defense as well as a financial services company in the fields of insider threat, incident response, analytics, and systems engineering.
Comments are closed.