Sep 28 2023

Weaving Cyber Resilience into the Strategic Fabric of Higher Education Institutions

At colleges and universities across the nation, leaders agree that the key to ensuring business continuity and sustainability is cyber resilience.       

Of all the cybersecurity dangers a college or university may face, perhaps the worst is complacency and the general inaction and inattentiveness it can lead to. But, with the average higher education data breach costing $3.7 million and ransomware attacks against institutions constantly on the rise, there’s little room for overconfidence — especially when it comes to protecting students’ most sensitive data. It’s why, increasingly, the concept of cyber resilience has become a popular topic of discussion for higher education CISOs around the nation.

“When we think about resilience, it’s the ability to adapt and survive and continue on after some sort of adverse event,” says Brian Kelly, the former director of cybersecurity at EDUCAUSE and now virtual CISO at Compass IT Compliance. “So, when we’re talking about cyber resilience, we’re speaking about being able to withstand an adverse event like a ransomware attack or a data breach or a natural disaster. If there’s an incident or a breach on your campus, will your institution be able to respond and remain operational and conduct business in the midst of it?”

Nothing has demonstrated the critical nature of cyber resilience (or prompted an increased focus on it) as well as the COVID-19 pandemic and the mass shutdown of campuses around the nation, Kelly says. Overall, the schools that fared best were the ones that already had strong technology strategies in place to help them maintain stability amid the breadth of uncertainties and risk that ensued.

Click the banner below to learn how to optimize your university’s device management program.

The Difference Between Cleaning Up and Growing Stronger After a Disaster

With a constant onslaught of cyberattacks, massive amounts of incoming data to protect and billions of dollars on the line, colleges and universities face a never-ending stream of risks. As institutions focus on remaining financially viable amid falling enrollments, it’s never been more critical to maintain stability and remain operational. A single breach, after all, can financially hobble an organization, costing not only money but the trust of its stakeholder community.

For organizations of all types — including higher education — concerns about business continuity are hardly new. “We have long done work around continuity and recovery,” says Wolfgang Goerlich, an advisory CISO with Cisco’s Duo Security. “We take a series of actions to ensure we can continue. We move on to different services. We move into new facilities. We switch applications, we switch processes.”

These actions are important, Goerlich continues, so that “in the event of a disruption, we can recover the organization and continue providing services. But recently, there’s been a shift toward focusing on resilience, which looks at more than continuity and recovery. The goal of resilience is not only to respond to an event, but also to emerge from that event in a better posture and a better position than before.”

LEARN MORE: How to get zero-trust architecture right for security and governance.

Cyber-Resilient Institutions Need Executive-Level Support and Resources

The most cyber-resilient colleges and universities tend to have certain factors in common, particularly in how they prioritize and attend to security.

Weaving cyber resilience into an institution’s strategic fabric effectively and successfully requires a top-down, unified approach. “It tends to be much more successful as a program,” Goerlich says. “In higher education, there are a lot of competing goals. There are a lot of services that need to be provided to students and faculty. Resilience has to be a goal at the top level so that security teams can get the buy-in, the support and the coverage we need to implement programs that get results.”

Fortunately, Goerlich says, higher education leaders seem to agree. In a 2022 security survey of technology executives across all industries, 96 percent of respondents agreed that security resilience, in particular, is top of mind. Complicating things, he says, is a lack of consistent budgeting — a reality that makes leadership buy-in all the more important.

“There's never enough budget, there’s never enough time, there's never enough resources,” Goerlich says, “which is why it all starts with priority and executive-level support.”

READ MORE: What is third-party risk and what can higher ed do about it?

Wolfgang Goerlich
The goal of resilience is not only to respond to an event, but also to emerge from that event in a better posture and a better position than before.”

Wolfgang Goerlich Advisory CISO, Cisco’s Duo Security

Ensuring Cyber Resilience Requires a Smart Investments and Informed Stakeholders

There is no shortage of steps that institutions can take to bolster their cyber resilience and ensure that, should the worst happen, they’re prepared. A good place to start is by assessing the institution’s current level of resilience and looking for any gaps or obstacles.

In many cases, Goerlich says, the key is simplification. For example, adopting a zero-trust security strategy can also improve a college or university’s ability to respond, maintain continuity and bounce back following an adverse event, he says.

Another factor complicating resiliency for many institutions is overly complex network environments, particularly in the cloud. As colleges and universities clamor to embrace digital transformation and cloud networking, it’s not uncommon for their environments to grow to a degree that becomes unmanageable. But uncontrolled and unregulated cloud sprawl can have a serious impact on an institution’s resilience.

Developing easy-to-follow approaches and processes — along with adopting simplified, automated and easy-to-use technology solutions — can make a significant difference, Goerlich says. “One of the top things, from a technology perspective, that we can do is to simplify those environments so that there are fewer moving pieces and we have a consistent set of controls.”

Above all, Kelly says, organizations have to ensure their people are up to speed and well educated on what it takes to maintain a strong security posture, and that they know how to avoid risk and remain functional during a disaster. After all, he explains, even the best strategy and technologies won’t always protect against human error.

“I always start with the people in the process,” Kelly says. “They have to understand the business and the work and the risk. There’s going to be some level of resilience with your technology, but I always caution people that you can’t fully achieve it unless the people understand.”

metamorworks/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT