Then look at the safeguards and say, “Are they still managing these risks? Are they still mitigating them?” Suppose you have cyber insurance and you transferred that risk. Will that policy protect you if you have a breach that looks like X, Y or Z?
Second, adopt a defense-in-depth approach. With these blended threats, you have to think bigger. What are the physical risks? What physical controls are in place? How do you build defense in depth?
A lot of that comes down to people. We need people who understand the issues and aren’t swayed by the sensationalism of FUD. If they read about an incident on the internet, they should be able to say, “Here’s my plan of action. I’ve already got the steps that I need to take in this situation. I’m just going to follow those steps.”
Third, we have to dismiss the “I am not a target” mentality. A malicious hacker can get into someone’s account and use that to escalate privileges, or they’ll scan the information and say, “This person has more access. Now I need to get into this person’s account, too.” The malicious hackers are very smart and very organized, so that “I’m not a target” mentality no longer applies.
EDTECH: Now that institutions can use advanced software solutions to better monitor their networks, do they struggle to find the best way to use this data?
MILFORD: People are certainly struggling with that. We tell people to collect their logs, but the second side of that, which, unfortunately, we don’t focus on as much, is they need to analyze those logs. If you’re a busy professional with a small team, you probably don’t have time to review those logs daily. So, you use automation to alert you to things that are concerning.
We see people moving in that direction of using software and automation to help them. As data analytics as a field becomes richer, we have more opportunities than we did 10 years ago.
Right now, the mature shops and big universities are doing this best, because they have the money to spend and the people to develop it. These things don’t happen overnight. If you see a bad IP address, you have to develop the rules to tell your firewall or your control list to block that IP address. So even though you set up the automation, it does take people to think that through.
EDTECH: IT leaders often struggle to engage senior-level support. What strategies can they use to elevate the security agenda?
MILFORD: This is a challenging one, and it raises questions about where the CISO should report. In an ideal world, should they report to a president? Most days, I say, “Yes, they should.” But every now and then, I’ll see something super technical that the CISO wouldn’t get if they didn’t report to the CIO, so sometimes I like that model too. Ultimately, it’s hard to get and keep the attention of high-level people, which is why we often resort to using FUD.
We usually recommend that the CIO should, when he’s at the president’s cabinet, always say something about security — even if it’s just that phishing was really bad this month or self-phishing tests are starting to pay off — just to plant that seed and raise awareness. We also recommend general cybersecurity training for everyone, so it stays front and center. That often requires HR’s assistance, but it helps a lot.
I also find that metrics and money talk. If you can show, “We had to deal with X, Y, Z type of attack last year, and that used up half of my security engineer’s time, so it cost us $65,000. Is that okay with you or would you rather shift that?” That is a really good way to talk to management.
EDTECH: What else should IT leaders be doing?
MILFORD: The higher education community is very cooperative, so take advantage of others’ expertise. Pick up the phone, call your neighbor, look at resources on EDUCAUSE and REN-ISAC and start leveraging those relationships.