When tech observers talk about the “people” in the “people, processes and technology” that comprise an effective cybersecurity strategy, they’re usually referring to users.
Depending on their behavior, users can either expose institutions to unnecessary risk or protect them from it. But, of course, there’s another set of individuals who are needed to keep universities safe: cybersecurity professionals within IT departments. And at many higher education institutions, especially smaller colleges, there simply aren’t enough of them to go around.
“There is so much to consider in cybersecurity, and traditionally, IT in higher education is understaffed,” says Jill Albin-Hill, vice president for information technology and CIO at Dominican University. “It’s tough to find the time and to get the right resources on campus to be able to address it all.”
To address that gap, Dominican teamed up with four other small institutions in the western Chicago suburbs — Elmhurst College, North Central College, Wheaton College and Judson University — to create a cybersecurity consortium. The group banded together to contract with an external IT service firm that helps all of the institutions manage cyber risks.
The agreement started in July of 2016, and Dominican University had the vendor on campus for a two-day risk assessment that summer. During the assessment, the vendor interviewed stakeholders in departments across the university to determine security priorities and vulnerabilities.
“Already, it’s helped me gain some visibility across the institution about how this is an important university consideration, and not just an IT issue,” Albin-Hill says.
In addition to solid user training, a well-rounded cybersecurity strategy must include robust processes for protecting institutional data and systems.
These processes include:
Vulnerability Scanning and Penetration Testing:
Vulnerability scans use automated tools to check the security posture of servers, desktops and other systems, whereas penetration tests make use of “white hat” hackers who launch (harmless) attacks against an institution’s infrastructure to identify vulnerabilities.
James Wiley, principal analyst focusing in cybersecurity at the research firm Eduventures, says it is especially important to conduct testing when deploying new resources. “You write it into any vendor contract,” he says. “If they’re not willing to do it, you get them out of the pool.”
Server Authentication and Certificate Management:
Strong server authentication practices are especially important for the high-volume email systems that colleges typically operate. It is also essential that robust certificate management systems be in place to automate the renewal of expiring certificates.
Mike Chapple, senior director for IT service delivery at the University of Notre Dame, says universities should be especially careful managing “wildcard” certificates. “If a certificate is compromised and you have to revoke it, it’s really important to know where it’s being used, so you don’t just revoke it and see what breaks,” he says.
Monitoring and Incident Response:
Real-time monitoring of network traffic and system logs for anomalous activity should incorporate both technology and IT staff. And when an incident is detected, a detailed plan should be in place to direct the institution’s response.