Apr 16 2015

Security Risks in Higher Ed's New Normal

As higher ed adjusts, IT leaders also must prepare to meet new security challenges head-on.

Devices, wireless and security are integral to the ongoing technology priorities conversation taking shape on higher ed campuses today, along with how they can be leveraged to improve outcomes. In the always-connected, BYOD "new normal," securing your people and institution has never been more difficult.

When it comes to supporting mobile devices, IT leaders remain concerned — rightly so — about security (57 percent) and bandwidth limitations (47 percent), according to CDW•G’s “Wireless Network Practices and IT Purchase Practices” survey, conducted and published by Spiceworks in January 2015.

How can you secure what you can’t control?

As higher ed IT leaders, we need to better articulate to university executives, business and department leaders that security breaches are inevitable — in fact, a strong security strategy includes the premise that a breach will occur. Any governance and response plan should include protocols with leveled prioritization, emphasis on the most relevant vulnerabilities, policies that are segmented and a well-defined plan for what happens once a breach is discovered. Ultimately, the most successful security policies limit impacts following a breach.

Always Be Prepared

Sadik-Al Abdulla, CDW’s director of security solutions, recently presented his 2015 State of Security findings to me and several members of CDW•G’s Higher Education Customer Advisory Board. Two of his talk’s themes resonated with me:

IT leadership teams should set themselves apart as valued institutional partners who are aligned with institutional and departmental priorities, not as the security police. Additionally, strong security policies do not equate to equal standards for all data types. For example, critical and sensitive medical research data obviously require a greater level of security than, perhaps, intramural club rosters. Rather than policing data, IT leaders can better assist faculty and other decision-makers by helping their security teams craft communication and change management plans when updating outdated security and data policies or procedures. Change management and communication plans are the foundation for implementing priorities in the new normal, where you can’t control users or their devices.

Since the greatest threat to security likely lies in how the students, faculty and staff follow protocol, then a strong focus on user education is critical. What does your user education plan look like? If the majority of your users still use passwords with a capital letter of a favorite word and then the number 1 at the end (or other simple rules), then your institution is at risk. Focusing on user communication and education is imperative.Obviously, you want to deploy best-in-class security technology, but is that really the difficult part?

Post-breach action plans are paramount to ensuring best-case scenarios. Many institutions would benefit from refining governance and security response plans following a breach. When IT teams start from the premise that some level of breach will occur, then having a first-rate response plan in place should be a fundamental priority.

Some questions you should ask include:

  • What is the protocol for monitoring and detecting breaches? (Even the most sophisticated plans and solutions to detect security breaches are ineffective if they aren’t monitored.)
  • Do faculty and staff know what to do when a breach is detected?
  • Do the appropriate team members have local phone numbers for the FBI and any other relevant teams?
  • What does your institution’s response roadmap look like, and who knows how (or is empowered) to activate it?

The findings detailed in this report, while focused on the corporate sector, should also give all of us in higher ed some things to consider. I hope you’ll find it helpful as you and your teams refine your own protocols and policies in light of our ever-evolving technology landscape.

This article is part of EdTech: Focus on Higher Education’s new UniversITy blog series. Please join the discussion on Twitter by using the #UniversITy hashtag.

Wavebreakmedia Ltd/Thinkstock

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.