TechDecisions sat down with John Irwin, Senior Vice President of Government, Education and Healthcare at AT&T, to talk about cyber security considerations for colleges and universities:
TD: Why would someone want to steal data from a college or university?
JI: If you think about colleges and universities, they host a large amounts of student and staff identities. If compromised, this can be sold by hackers. It’s a pretty rich sample of data.
In addition, colleges and universities conduct a significant amount of primary research. If you follow that chain – primary research leads to discoveries and, eventually, intellectual property – that is something that is highly attractive to foreign governments and others. So it’s easily monetized. Potentially, these are people that we wouldn’t want to have our best and brightest’s secrets.
Lastly, in order to be collaborative, which is certainly what we desire in higher education, the networks tend to be more open than enterprise networks. So you potentially have easier access to students and faculty not officially affiliated with the owning institution. I think that highly collaborative aspect is something that presents an opportunity for people to do things we wouldn’t want them to do.
TD: What is the impact of a data breach at an educational institution? How does it hurt the college or university? How does it hurt the students whose data has been stolen?
Reputation and credibility in the higher education space is a bond between university and students, and in many cases with universities and parents, or whoever is paying the bill. It can impact the institution’s overall brand.
One of the other things that we’ve seen is the ripple effect is that when there is a breach, frequently these institutions have to fund credit monitoring services for those impacted. So there’s potentially a significant out of pocket cost.
A cyber attack can also lead to a loss of intellectual property and trade secrets as I mentioned earlier.
TD: What can colleges and universities do before an attack occurs to prepare for and prevent an attack?
I would tell you a layered approach is most prudent:
First, education users, anybody that’s in the infrastructure should be trained on the latest security methods and practices. That’s important, because I still find instances where people’s passwords are written on the undersides of their mousepads.
A second component of this layered approach is updating the OS and applying security patches. Make sure all of the operating systems are up to date and that these regular security patches are applied. This is something that changes, I’m not going to say hourly, but it certainly changes daily. Making sure you’ve got the current patches is a significant aspect.
Another thing that I would tell you we’ve employed, and a number of my clients have employed, is multifactor authentication. Generally using something you know, like a password, and then something that the authorized user has, like a token authentication, is a pretty big deal.
Back to that layered approach – DDoS security is a great place to start. If help or direction is needed, AT&T offers security consulting services. We do a tremendous amount of business in this space given the significance of the threat here.
As content gets moved to the cloud, understanding cloud security is a big deal. I would tell you it’s not just one thing. It’s a layered approach in order to have a prudent approach to security.
TD: What can colleges and universities do while an attack occurs to mitigate the damage from the attack?
I would tell you this is not a go-it-alone strategy. We’ve had calls from clients late on a Friday night or early on a Saturday morning where they want to do a quick consulting engagement with us. This is something you leave to the cyber security professionals to help mitigate within a timely manner.
I would also say that one of the things we’ve appropriately seen a lot of energy around, certainly AT&T does this, is having a response plan. Doing tabletop exercises, making sure you flex those muscles and know the right things to do, the actions to take, and the people to approach is a big deal.
One thing that people don’t think about is having a media outreach plan so that you can manage the story in the press. Your brand and your reputation is at stake here, and making sure you manage that is important.
TD: What can colleges and universities do after an attack occurs to deal with the repercussions from being breached?
Keeping an open line of communication with all affected parties, leadership and media. Making sure there is clear and concise communication, because there is a question about what has happened and you need to manage that via open communication. Then making sure that you’ve got alignment from all stakeholders associated with the response actions. This could be stakeholders including legal, external resources, vendors, and, depending on the significance of it, homeland security, FBI and others could be part of your response plan as well.