Security

To Improve Higher Ed Data Security, Address These Risks in Research Projects

Here’s a look at some of the most common factors attracting cybercriminals to universities.

Alexander Huls is a Toronto-based writer whose work has appeared in The New York Times, Popular Mechanics, Esquire, The Atlantic and elsewhere.

Research data remains a primary target for cyberattacks. A report by Check Point found that attacks on educational institutions are growing faster than any other sector. COVID-19 research universities, in particular, are especially threatened by state-sponsored hacking and cybercriminals looking to sell stolen data to nation-states.

The year 2020 has made clear how vulnerable — and desirable — university research data is to bad actors, emphasizing that having properly secured research will be critical for warding off current and future attacks.

And cybersecurity threats to research universities won’t stop when the pandemic ends. Universities will remain repositories of invaluable proprietary and personal data, often tied to corporations and government organizations, that spans medical, military, financial and emerging technologies, and more. That data will continue to be a target for nation-states looking for shortcuts to their own research efforts, and bad actors who hope to profit from it.

Addressing the following risks to researchers — such as bad user experience, and a lack of dialogue between researchers and higher education information security teams — can help overcome some of the most common roadblocks preventing colleges and universities from securing research data.

The Current Cybersecurity Threats to Research Universities

You cannot protect research without securing the end users — faculty, staff and researchers —who make that data vulnerable to phishing and ransomware campaigns.

In other words, end users are the biggest threat to research security. “Human behavior is the most important thing in cybersecurity,” says Kelvin Coleman, executive director at the National Cyber Security Alliance (NCSA). An EDUCAUSE study found that 20 percent of faculty want convenience over security. It is no surprise that 70 percent of security breaches in 2019 occurred as a result of unsecured endpoint devices.

With the shift to remote work, end-user vulnerabilities have only increased. Thousands of vulnerable endpoints have popped up in laptops, tablets and mobile phones. Without proper research security policies in place, those entry points will be exploited to the detriment of universities and researchers.

DIVE DEEPER: Secure higher ed’s growing number of remote devices.

What Are the Best Practices for Research Security?

It is still good practice to employ common cybersecurity measures, such as routine network monitoring, VPNs and intrusion detection systems. Having proper cyber hygiene, such as patching, updating and password discipline, should never be neglected. And multifactor authentication (with technologies such as Cisco Duo Security, Google Authenticator and Twilio Authy) as well as single sign-on software (such as Okta, Citrix and Rippling) are essential too.

But there are also new practices worth adopting. “One of the emerging trends is around endpoint detection and response (EDR),” says Brian Kelly, director of the cybersecurity program at EDUCAUSE, which — along with organizations such as the Association of American Universities and the Association of Public and Land-grant Universities — has begun documenting best research security practices.

Of all the audiences on campus, the researchers are the ones who would appreciate the stakes.”

Brian Kelly director of the cybersecurity program, EDUCAUSE

Bloomsburg University of Pennsylvania, for example, has been using CrowdStrike Falcon, a cloud-delivered security agent that not only flags endpoint intrusions but also provides contextual information about the threats, where they are stopped and where they came from — all of which can improve future incidence response plans. Other EDR solutions such as InsightIDR, Check Point and SentinelOne are effective tools too.

And it is always worth emphasizing that the zero-trust security model — where no internal or external access attempts are trusted — can be an effective strategy for research security. In this case, all granular user, device, location and research information must go through verification processes such as multifactor authentication, identity and access management and encryption.

EXPLORE: Learn how to choose an identity and access management solution for higher education.

What Can Promote Better Adoption of New Security Measures?

As effective as EDR and zero trust can be, they still contend with an evergreen problem: end-user receptiveness. Kelly believes one way to address this is to change how CIOs and IT departments promote cybersecurity practices. “We’ve got to change that narrative within our research communities,” he says. “We have to have it feel organic, have it feel like it’s enabling rather than stifling.”

One way to achieve this is to make researchers participate in the stakes of their own research data. “We really need to have a conversation about what they are doing, what their research entails, what type of technology they’re using,” says Kelly. “Then we have a conversation about how we can help them do that in a secure way.”

The result will be security measures catered to user preferences, which will complement, rather than interfere, with academic processes. “We need to make sure that the adoption doesn’t get in the way of the research,” he stresses.

Last but not least, improving engagement with researchers requires support from leadership. A recent EDUCAUSE report found that data security leaders are not doing enough to prioritize end-user receptiveness to research security solutions. “The majority of college or university presidents and chancellors ascend to their positions of leadership without having a tremendous amount of exposure to, or fluency in, cyber issues,” says NCSA’s Coleman.

Institutions with cyber-adept leaders who also understand researchers’ needs will have better data security policies and procedures that yield critical training and resources. “It starts at the top,” Coleman says.

What Data Storage Requirements Should Researchers Consider?

Minimizing potential risks to researchers and their data requires proper data storage etiquette. That primarily requires policies that dictate how data is stored at different stages of research. Who has access, and at what point? How long should data be retained? To answer these questions, the U.K.’s University of Reading provides a helpful data protection checklist for researchers.

Data storage requirements should also involve conversations between cybersecurity teams and researchers. “Where you store research data is dependent on the conversation that you have with them to determine what the right fit is, what the right security level is, what the risk is to that research data,” says Kelly.

Moving beyond the human element to technology, cloud technology remains an important mode of storage that helps avoid vulnerable decentralization of sensitive data. Furthermore, Kelly says, secure data enclaves are gaining traction. “We’re hearing a lot of conversations around enclaves — segmenting where the data is and how it’s stored,” he says. It can, however, be technologically time-consuming and expensive to set up, let alone for researchers to adopt.

MORE ON EDTECH: Here's 4 tips for protecting intellectual property in academia.

There is one last best practice worth considering: empowering and elevating the role of research security administrators. “They are the connective tissue between the cybersecurity folks on campus and the research community on campus,” says Kelly.

Coleman agrees: “They can better communicate between the traditional IT department and institutional leadership.”

That, of course, benefits not just the integration of enclaves, but an overall drive to improve cybersecurity among research universities and staff. “Improving the way our researchers work with cybersecurity teams has been something that we’ve been working on for a while,” says Kelly. It’s important not just for protecting universities from losing valuable data during cyberattacks, but also for protecting something more personal.

“Sometimes, that’s their life’s work,” says Kelly. “Of all the audiences on campus, the researchers are the ones who would appreciate the stakes.”

SolStock/Getty Images