More than 19 million students are enrolled in institutions of higher education in the U.S today. When they head back to campus this fall, virtually all of them will bring laptop computers with them, since access to their college or university’s IT resources will be as vital to their learning experience as textbooks, libraries, or laboratories — if not more so. Of course, an unprecedented number of these students will be doing some or all of their coursework online, further expanding the role that technology plays in their education.
Given the importance of technology-driven learning experiences as well as the fact that higher educational institutions have traditionally underspent on technology (historically, less than 5% of university budgets were dedicated to IT), it should come as no surprise that colleges and universities are an increasingly attractive target for cybercriminals. After all, these institutions hold treasure troves of data on their students and employees as well as the intellectual property they’re creating as they do original research. And they’re tasked with providing open access to resources for large numbers of geographically dispersed users who are often untrained and rarely appreciate the importance of cybersecurity best practices.
It’s not unexpected that more than three-quarters of the 1,327 data breaches that have taken place in educational institutions in the U.S. within the past 17 years have impacted colleges and universities. In fact, in a 2018 analysis of organizations’ cybersecurity performance, the education sector ranked dead last when compared to other industries despite the fact that educational institutions are held to relatively stringent regulatory requirements.
A Perfect Storm of Cyber Risk: Higher Ed Industry Challenges
Multiple factors contribute to the unique set of cybersecurity risks that institutions of higher education currently face. Perhaps the greatest challenge results from the fact that their user population is extremely diverse, as is the variety of purposes for which technology is used. A single campus computing network might serve computer science researchers studying cryptocurrency mining, students learning about network security, digital artists working on complex, technology-enabled projects, and off-campus learners in locations spanning the globe — including countries that are home to the world’s most active cybercriminal groups and nation-state sponsored attackers. Additionally, the reality is that students might — whether experimentally or with genuine malicious intent — themselves cause a malware infection or data breach.
Like their counterparts in many other industries, institutions of higher education are challenged to recruit and retain the talented cybersecurity professionals they need to protect their large and complex computing environments. The cybersecurity skills shortage continues to be a problem across nearly all verticals, but the budgetary constraints that colleges and universities face make it especially challenging. Many security leaders in higher ed staff their security programs with students, providing these student workers with valuable learning opportunities, but this also increases seasonal turnover and the amount of time that has to be devoted to training inexperienced hires.
In addition, institutions of higher education exist within a relatively complex regulatory landscape. Not only are schools that receive Title IV funding from the federal government held to strict breach reporting standards, but colleges and universities also need to adhere to nearly every other compliance requirement — from the Health Insurance Portability and Accountability Act (HIPAA)’s provisions for those that maintain affiliated medical schools, hospitals, or even on-campus healthcare centers to the Payment Card Industry Data Security Standard (PCI-DSS) for those that accept credit card payments for tuition and fees or at the campus snack bar.
Divide and Conquer: Managing Risk Through Network Segmentation and Outsourcing
The events of 2020 made maintaining a strong cybersecurity posture more difficult for organizations across nearly all industries. But institutions of higher education may well have been better prepared than most to meet the challenge.
Bring your own device (BYOD) has been a reality in college and university computing environments for years — long before the shift to a remote workforce made it necessary for many businesses and nonprofits to consider allowing employees to use personal devices for work purposes. Security programs in higher education have often dealt with the issue through rigorous network segmentation. Because they were experienced in granting access to campus computing resources to inherently insecure devices and remote users, they were able to adapt in order to support distance learning with relative ease.
Colleges and universities have also relied heavily on Software-as-a-Service (SaaS) applications for years now. This effectively enables them to outsource responsibility for securing application infrastructure and other resources. For online classes conducted via the popular videoconferencing platform Zoom, for example, the higher ed institution only needs to worry about securing access, not the platform itself. And if library reserves or other course material is shared through third-party applications, the university’s security responsibilities are similarly limited.
What’s Needed: Help from a Vendor-Agnostic, Trusted Advisor
Many institutions of higher education can benefit from the services of a managed detection and response (MDR) provider or other trusted security partner. Their complex, highly diverse environments can be challenging to manage and secure. Often, it’s especially difficult for technology leaders to ensure that backend operational processes are followed correctly when new projects are undertaken. An expert partner can serve as an advisor as well as a source of practical, boots-on-the-ground support to ensure that institutions of higher education's security programs are advancing their maturity — rather than getting caught up in the day-to-day activities of chasing threats, applying patches, and following up on nuisance tickets.
Want to learn more about how we’ve helped colleges, universities and other educational institutions build a track record of having strong cybersecurity postures? Check out our CISO Advisory Services or schedule a free consultation with a member of our expert team today.