During an EDUCAUSE 2014 panel on cybersecurity in higher education, discussion quickly turned to a brutal truth: No one can avoid cyberattacks.
"It's not a matter of if you're going to get breached, it's a matter of when," said Peter Streips, president of Network Security Group.
Citing research from the Open Security Foundation, Streips said 35 percent of all breaches take place in higher education. Learning centers are targeted by hackers because they are warehouses for personal information. And external threats are only a part of the problem, Streips said. Nearly half of all breaches happen inside the network. Some of these occur due to human error, but the possibility of internal threats can't be ignored.
To mitigate damage from these attacks, it's important for higher education institutions to have a plan of action for when a breach occurs, he said. An ideal plan would also include steps to take before a breach occurs — for example, what to do when an employee with valuable security access is dismissed or leaves employment to ensure that their privileges are revoked before they can do any damage.
Education as a Powerful Defense
Following Target's point-of-sale malware breach in 2013, universities have become acutely aware of the damage a cyberattack could inflict on a school's reputation, said Vince Spiars, Wesleyan University's administrative user services manager. This has put increased pressure on IT staff to halt intrusions before they become a problem for the university as a brand.
One of the most powerful defensive steps a university can take is to educate users of the network on security best practices, Spiars said. But it's not enough to hand each new employee an 800-page pamphlet on campus IT standards, he said.
"We use a product that has a knowledge base, so they can just start searching and find quick answers to things," he said. "That gives you a much better chance of helping them help you to keep the bad guys out."
Bring Your Own Destruction
Along with increasing cybersecurity threats, the potential for security weaknesses is also growing with the widespread adoption of bring-your-own-device initiatives on campuses across the country. For some in higher ed IT, BYOD has come to mean "bring your own destruction," said Lysa Myers, security researcher for ESET North America.
To protect mobile devices on the network, IT departments must erect walls of security, but these can frustrate users. Educators and students today must memorize a variety of logins and passwords to access services. Adding more security layers creates more frustration.
But Spiars said there's a balance to be achieved.
"Understand that security and convenience are diametrically opposed. You're going to have to fight that. You can try to make it more palatable to have better security, but you can't make things easy for the user," he said.
EdTech is providing constant coverage of EDUCAUSE 2014, including video interviews, session information and tons of photos. Keep up-to-date on all of our coverage by visiting our EDUCAUSE 2014 conference page.
Survey of IT leaders Shows Challenges Ahead for Higher Ed
Top 3 challenges security must meet:
- Protecting student data, organizational data and intellectual property (79%)
- Balancing employee and student productivity with protection (47%)
- Meeting compliance standards (19%)
Top 3 issues facing IT in the next 12 months:
- Student-owned devices on campus (48%)
- Mobility and BYOD for faculty and staff (46%)
- Flipped Classrooms (20%)
SOURCE: ESET Security Solutions, "Looking Ahead in Education," September 2014