Higher education institutions carry a double burden when it comes to data security: They possess a great deal of information that hackers find attractive, and their need for open, flexible access makes it harder to secure their networks.
Unfortunately, the numbers bear this out. A recent CDW survey found that in the past year, 60 percent of institutions experienced a data breach.
Given the odds, leaders in IT, information security and other administrative areas must be prepared to deftly execute a data recovery plan. Most institutions, of course, have extensive procedures in place. But even the best-laid plans often don’t unfold as expected.
Several factors can cause recovery procedures to veer off course. To be proactive, assess your plan in light of each of these potential pitfalls and shore up any weaknesses you identify.
1. The Recovery Strategy Is Too Loosely Defined
Well-defined procedures ensure that institutions can sustain services during a crisis, as well as provide timely notification to involved parties to avoid potential federal, state and local information security management violations if a breach occurs.
As the Deloitte Center for Higher Education Excellence notes, to be effective, leaders from across the institution (including representatives from IT, legal, risk, human relations and communications) should confer about potential threat scenarios.
Deloitte also suggests staging threat simulations to help stakeholders prepare to mount an agile response, should an actual attack occur.
2. Communication About the Recovery Plan Is Insufficient
Leadership must stress the importance of the response plan, emphasizing that enacting the necessary provisions will be a priority.
Unfortunately, research indicates that university presidents, who are often extremely busy, may not have the opportunity to be as closely involved in recovery-related IT activities as they would like to be.
A 2016 EDUCAUSE survey found that CIOs who serve on the president’s or chancellor’s cabinet are significantly more likely to have an opportunity to discuss the IT implications of institution-wide decisions with key campus players.
However, only 42 percent of CIOs at U.S. schools are part of the president’s cabinet. Those that aren’t may not be in a position to convey the response plan’s significance.
3. Authority Among IT Staff Is Not Clearly Assigned
To ensure that staff members enact the provisions of the response plan correctly (and as soon as possible), institutions should designate an individual, team or department to be in charge of instituting and overseeing the response process.
Virginia Tech’s cybersecurity response guide, for example, clearly states that the IT security office is sanctioned to manage and coordinate cybersecurity incident recovery efforts while working with IT personnel in various departments.
4. Leaders Failed to Gather Intelligence from Previous Breaches
When an incident occurs, a thorough postmortem allows leaders to figure out what went wrong and, more importantly, how to prevent a repeat occurrence.
This learning process should apply both to the breach itself and to the institution’s response. After the University of Delaware experienced a cyberattack in July 2013, it conducted a thorough review to determine who was affected (approximately 72,000 current and past employees and fewer than 2000 non-employees).
The investigation also revealed that the breach stemmed from a criminal attack that took advantage of a software vulnerability.
When it comes to keeping data secure, planning your response to a breach is only half the battle. Such plans also need to be tested (preferably through simulations, tabletop exercises and the like) and subject to continuous improvement efforts.
Start by evaluating your plan for each of these potential weaknesses, and then go one step further to see what other vulnerabilities you can identify and fix.
As the security experts caution, data breaches in higher education aren’t a question of if, but when. If that holds true, you’ll have much better peace of mind knowing that your institution is absolutely prepared to recover, resume business as usual and carry those lessons forward.
This article is part of EdTech: Focus on Higher Education’s UniversITy blog series.