Since most colleges have their physical security down pat, then that should mean their cybersecurity is under lock and key, right?
With network hackers growing smarter and threats becoming more inevitable, colleges are accepting that breaches are bound to happen.
However, even though colleges expect the worst to happen to their networks, they should still arm themselves with the best protection strategies.
Greg Harp, the media relations executive for LoudCloud, says that colleges are throwing their data up to servers like the Cloud because of its low cost and space-saving capabilities.
He says that a college’s IT department may also choose to run different software and host that software on the school’s network, which creates the need for additional resources.
“Many of these campuses already have space issues and a whole lot of other issues,” Harp says. “So being able to [use] the Cloud saves them that cost, space, the ability to upgrade online rather than a host of consultants trying to come onsite and figure out the customizations they’ve done over the last three years of when they installed that on their network.”
But while the Cloud and other networks solve these problems, they create security issues for the college’s network.
What Makes Hackers Covet College Networks
Deren Chen, Inside Solution Architect for Security at CDW-G says college networks are vulnerable to attacks due to their openness, which means they can support any device.
“If you look at higher education as a whole, these are probably some of the most open networks,” he says. “If you’re staying within a dorm, not only do you bring the device into the dorm, you’re inside the university network. There are so many users, so much information, like social security information. It’s right there for the taking.”
Sandeep Kumar, Principal Solution Marketing Manager, ForeScout says cyber threats on colleges networks are more critical when compared to company networks.
He says this is because colleges have unique device features that reveal three main soft spots for threats to sneak into:
- BYOD capabilities – “I think higher education is the sector with the highest percentage of personal devices,” Kumar says. “We have customers who have said in the last year, they have gone up to 80 or 90 percent of the devices on the network being personal devices owned by students or faculty. BYOD is not really an option in education.”
- Security policies – “If you’re in finance or healthcare, you can create a pretty stringent security policy,” Kumar says. “You can also create a fairly stringent BYOD policy. In the case of education, that is very difficult. They have to balance the availability of resources because it’s all about balancing availability with student learning.”
- Privacy regulations – “Education is one of the sectors with the highest number of privacy regulations,” Kumar says. “Instinctively, people don’t think about compliance and regulations, but education is one of those sectors that is faced with many if not more compliance and regulations than some of the other sectors.”
How to Suit Up a College’s Network with Security
Kumar says a college should be aware of threats leaking through its BYOD policies, security policies and privacy regulations, and armor-up its network accordingly.
He says colleges can prepare for a breach through three stages:
- Hardening defenses – Kumar says hardening a college’s network defenses surpasses traditional perimeter securities and firewalls. “Hardening in today’s world means moving periodic processes,” he says. “A lot of universities rely on period vulnerability scans: let me see who’s on my network, let me see if there is any risk on my network. That’s not sufficient because today, people are coming on and off the network all the time with a bunch of transient devices.”
- Increasing interoperability – Kumar says increasing interoperability in a college’s network will provide clearer context to its security systems. “One of the things you’ll hear a lot of is that security systems lack context, they are working with their individual silos,” he says. “So they’re only telling you that they’re good enough based on what they see. Continuous monitoring and mitigation solutions are probably one of the best sources of getting real time context.”
- Responding right away – Kumar says most organizations and institutions lack the automation to respond to data breaches. He says colleges should act fast during a cyber-attack to nip the source in the bud before problems spread. “It’s important that once you detect that one machine might be compromised, you immediately say, “I want a system that goes out and tells me are there others similar to this,” he says. “You have to win the race against a breach. When a breach happens, if you’re doing manual and just following it along and an endpoint gets infected, it’s going to go to different parts of the network and jump from one machine to another. If you’re doing manual, you’re always one step behind.”
Tips to Protecting Your Own College’s Network
REMEMBER YOUR NETWORK IS LIKE EVERYONE ELSE’S
Kumar says college IT departments can sometimes think their network is not commercial, and that it doesn’t need the attention a commercial network might need.
He says one way to strengthen that network’s security is to change that thought process.
“The first thing is don’t fall into that trap,” Kumar says. “You’re not different, you have regulations to deal with, you have BYOD, you have complex networks around campus. You’re just like every other commercial institution that is out there. Follow the best practices for how you successfully implement BYOD so it’s secure.”
KNOW WHAT’S ON YOUR NETWORK
Chen says colleges should familiarize themselves with what information is on their networks.
He says when college familiarize themselves with their networks, they create a visibility of what devices are on the network and how that affects certain policies, such as BYOD.
“One thing they really need to wrap their heads around is needing visibility on the types of devices and what’s on their network,” he says. “They need to know what’s on their network, the types of devices, and how that bandwidth is currently being utilized.”
CONSIDER THE VALUE OF INFORMATION PUBLICIZED ON THE NETWORK
Sadik Al-Abdulla, Director of Security Solutions for CDW-G says colleges should think long and hard about what kind of information they publicize on their network, and consider how sensitive that information is.
“Decide what to expose to Cloud in the first place,” he says. “Understand where sensitive information is and where it’s flowing, whether or not you’re consuming Cloud services. The second step is if you’re explicitly permitting sensitive information in the Cloud services, it’s getting new consideration to pre-encrypting that information.”
PICK GREAT PASSWORDS
Al-Abdulla says colleges should pick powerful passwords to access different portals on their network.
When the password is strong, no intruders should pass through. “The strength of the protection of that data comes down to how strong your users’ passwords are,” Al-Abdulla says.
KNOW WHERE TO GET SUPPORT
Al-Abdulla says colleges should pick an organized, experienced team or staff members to turn to in case of a network emergency, and to have those people on speed dial.
“In a lot of cases, lack of an officially supported set of services results in the organic explosion of whatever people want,” he says. “I think trying to get ahead of that can actually mitigate risk in a pretty dramatic way. Even just as simple as having an officially supported file transfer service and making sure that it’s nicely integrated with the college systems can result in people not using completely unsecure services.”
*This article was originally posted in 2015.