How universities can improve their cybersecurity
10 MINS READ
Ransomware, a costly affair
Remote collaboration is one of the huge benefits of the Internet age we live in, but it comes with its own set of risks, such as malware attacks. Higher education institutions are not immune. For example, in March 2021, the FBI publicly warned of an increase in a particular type of ransomware attacks aimed at educational institutions in 12 US states and the United Kingdom.
Attacks such as these are costly on several levels. Most obvious are reputation damage and direct financial losses for organizations that pay the ransom. Reported losses, however, probably underrepresent the true cost, because many victims do not come forward due to the potential damage to their reputation from public acknowledgment of a successful cyberattack.
The very qualities that make educational institutions valuable can make them vulnerable as well.
Universities often conduct cutting-edge research. Cybercriminals can extort institutions by encrypting their intellectual property (IP) and demanding a fee to unencrypt it. They also can steal the IP produced by researchers and sell it to third parties for financial gain.
Apart from their IP, universities must also protect the people within their ecosystems. This includes guarding against risks to the personal safety of students when physical access to school facilities converges with logical access to IT resources. Think key cards for building access.
Additionally, they need to protect students’ personal data. College students rely heavily on their smartphones for everything from online class participation to pizza delivery. Unfortunately, hackers are increasingly using mobile devices as an avenue for attack.
Universities that operate medical centers or health clinics must go further to safeguard patients and their private health information. This can even include protecting the welfare of animals in university veterinary or research facilities.
Most people are not hyper-focused on cybersecurity, and this includes university students, faculty, and staff. Compounding the problem, higher education institutions experience a constantly shifting user population, as students (and sometimes faculty) cycle through the university system and often change roles over time. Students can become staff or faculty, and staff can become students, making it difficult for IT administrators to match account access privileges with current roles.
Beyond that, universities face the challenges of expanded remote online teaching and learning in response to the pandemic, as well as the general ongoing shift to cloud environments for data processing and storage.
Integrated IAM is key
Collaboration, the natural hallmark of education, is based on trusted and secure information exchange. As data is passed back and forth between groups of users—faculty to students, students to the university, researchers to colleagues both inside and outside the university—all involved must be assured that the information is kept confidential, accurate and consistent, and available when needed. Fruitful collaboration is possible only if people can quickly, seamlessly verify the identities of others, and provide or restrict access to the correct systems and data.
Here are some recommendations for effective IAM in a university setting:
The foundation of a strong IAM program is that it be rooted in an integrated framework for managing digital credentials—one that combines identification, access, authorization, and auditing. No single element will suffice.
Like good household plumbing, IAM should operate quietly in the background to allow users to live their digital lives without hindrance.
It should function seamlessly with applications, databases, and other institutional assets to make the digital user experience efficient and secure.
A robust IAM program should also allow end users some degree of control over their own identity. For example, permitting users to change their formal name in the system to a preferred name.
Finally, correct timing of appropriate access is key to security. A new user should be granted initial system access in a prompt and accurate fashion and, even more importantly, access should be removed quickly when users leave the system or their roles change.
With the cybersecurity industry’s increasing focus on defending individual digital assets instead of trying to protect the network perimeter, IAM is getting more attention.
A user’s unique identity can serve as the cornerstone of information security if a robust IAM program is in place. But it doesn’t happen easily or quickly.
Some unique functions within IAM have become so specialized that they are now beyond the capability of many institutions. This has led them to turn to professional services firms for a comprehensive solution, according to Gartner. Good IAM partners are maturing to security allies who are regularly consulted about direction, strategy, and changes in technology.
This added perspective is much needed because IAM solutions must continually evolve to meet shifting security demands of online behavior, regulatory requirements, and new identity standards and best practices.