If breaches can’t be entirely blocked, what can IT professionals in higher education do to prevent these kinds of disaster scenarios? The GovEd team at Logicalis US says there are four important steps that will bolster college and university cybersecurity plans.
Knowing what you’re trying to protect and identifying some of the common ways that data could be breached is a logical first step. An in-depth data security audit performed by an experienced cybersecurity solution provider, however, digs much deeper.
Auditors should look at the types of data the college has stored, where it is located (on campus or in the cloud). They will identify the servers, workstations, laptops or mobile devices that have access to that data. And they will examine the university’s existing policies regarding data breaches.
Every institution of higher learning should have a fully documented security framework for data breach prevention, including a training component to keep students, faculty and vendors up to date on the latest safe data-handling policies. Why? Only 35 percent of data breaches at colleges and universities were caused by hackers or malware. But 22 percent were caused by an “unintended” or accidental disclosure of private data, while an incredible 14 percent of data breaches were the result of something as simple as the loss of a portable device that had access to the data. As a result, it’s crucial to ensure anyone with access to the university’s compute systems is well informed about the school’s IT security policies.
A Common Security Framework (CSF) – also known as an IT Security Framework or an Information Security Management System – is a critical component to any higher education security strategy. The CSF gives you a set of documented policies and procedures that act as a sort of blueprint for your security protocols.
While there are a number of reliable CSFs available – including frameworks like NIST SP 800, ISO 27000, SANS 20/CIS20, HITRUST and COBIT – choosing the right one is often a difficult task and is something that an experienced partner can help you do. In addition to being a competitive differentiator, implementing a common security framework can give your college an improved security posture and the ability to meet some very specific compliance requirements.
Denying access to a particular class of data may make some people inside the university system uncomfortable, but it’s a critical step in protecting data from loss.
To determine who actually needs access to key types of data, start by classifying the data into categories. By tightening restrictions on data access, it’s easier to prevent unintended disclosures of that data such as the breach that occurred at the University of Oklahoma in which 29,000 instances of students’ personal information – including social security numbers, financial aid information, and grades dating back to 2002 – were accidentally exposed through the university’s document sharing system.
In addition to re-examining who can access sensitive data, it is also important to think about who really needs administrative privileges. Oftentimes, administrative access is granted to department heads or even groups of support people for internal “political” reasons rather than necessity. In gray areas, relying on an experienced third party may help clarify the access structure that will best protect your data while still satisfying your user’s needs.
As noted earlier, the university’s reputation may depend on how its IT team responds to a data breach, making the development and testing of an incident response plan paramount for every institution of higher learning.
Since the cybersecurity community generally agrees that there is no silver bullet when it comes to preventing an attack, it’s critical to have a well-oiled plan in place to detect and stop a breach when it occurs.
First, define your incident response plan. Who is your team? Is your plan incorporated – in writing – into your security framework documentation? When was that last time you ran an incident response drill? If you don’t have an incident response plan, hire an expert in IT security specific to the education market to help you develop one.