Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Jul 15 2024
Security

How Zero Trust Can Protect Against Evolving Cybersecurity Threats in Higher Ed

The education sector has proven to be one of the least secure industry sectors. With attacks on the rise, now is the time for institutions to implement zero-trust security policies.

In a 2023 survey of tech leaders at higher education institutions, Inside Higher Ed found that fewer than a quarter of respondents were either very or extremely confident that their networks could withstand a ransomware attack.

Their fears are not an exaggeration; higher education has proved to be one of the least secure industry sectors over the past few years, with the number of cyberattacks against institutions in that sector on the rise.

EDUCAUSE documented a 44 percent increase in cyberattacks against higher education institutions since 2022, citing increased remote access to university and college networks since the pandemic as well as the fact that many institutions don't have the robust budgets to hire IT security experts that corporations and other large enterprises do.

Click the banner to learn how CDW can guide universities on the journey to zero trust.

 

According to EDUCAUSE, the average cost of each data breach is $3.65 million, but the nonmonetary cost might be even higher. “The reputational damage caused by data breaches and cyber incidents is immeasurable and hard to recover from, as these breaches compromise an institution's image and erode trust among students, parents, graduates, donors and partners," notes an EDUCAUSE article.

These breaches aren't just ransomware. The 2024 SonicWall Cyber Threat Report points out that malware and phishing attacks are still on the rise. Even the classic denial-of-service attack still keeps IT managers awake at night, as evidenced by a February attack on Cambridge University in the U.K.

One of the big issues that university IT executives and their staffs must deal with are the ever-growing points of entry that a hacker can exploit, whether it’s via cloud services, third-party software or a growing number of devices that can access a network from all points. For instance, in September 2023, a vulnerability in the data-transfer software MOVEit made sensitive data at the University System of Georgia vulnerable, giving hackers access to information such as names, addresses, salary details and Social Security numbers.

Zero-Trust Security Policies Recommended for Higher Ed

This is why EDUCAUSE has recommended that higher education institutions consider implementing zero-trust security policies. This goes way beyond using multifactor authentication and keeping security software up to date, which more than 90 percent of the respondents to the Inside Higher Ed survey say they already do. Zero trust is a holistic approach to network security that works on the assumption that nothing that accesses the network, whether it’s inside or outside the firewall, can be trusted.

429%

The percentage increase in encrypted cyberattacks on the education sector from 2022 to 2023

Source: SonicWall, 2024 SonicWall Cyber Threat Report, February 2024

The term, coined by John Kindervag of Forrester Research in 2009, is based on the Russian proverb "trust but verify." Because a number of different cyberattacks start via trusted devices or applications and then move through the network, it’s not enough to trust something accessing the network just because it was authenticated the first time it logged on.

RELATED: Read the 2024 CDW Cybersecurity Report for more zero-trust insights.

Implementing zero-trust security policies is a multiyear process that requires a complete survey of how data enters and moves around an enterprise’s network. This means:

  • Getting a complete picture of the devices that are inside and outside the network that require access (including devices like printers, which have become entry points for attacks in recent years)
  • Figuring out the degree of access groups of users need
  • Finding out all of the applications and software that access the network
  • Tagging and classifying the data that travels over the network
  • Segmenting the network to give users only the access they need

“Educational institutions should adhere to the principle of least privilege and ensure that individuals only have access to the necessary programs and data for their roles,” EDUCAUSE writes. “Institutions should also look into improving authentication, implementing centralized identity, managing third-party access, reducing the use of easy-to-hack passwords, and adding multifactor or biometric authentication.” They also suggest starting with areas that are high-risk or high-value, such as research projects with intellectual property protection needs, and piloting the policies there.

How Implementing Zero Trust Can Help Enterprise Security

Once fully implemented, a security infrastructure adhering to zero-trust policies should be able to have users, including unmanned service accounts, authorized and rechecked on a regular basis to get access to a network, and data and usage patterns would be constantly checked for anomalies. If an attack is still initiated, steps like data checking, network segmentation and other implementations should isolate it before it propagates throughout a network.

Given that all of this needs to be implemented with as little impact to the end user’s experience as possible, it’s a process that needs buy-in from all concerned parties within a particular institution and a lot of detailed planning. As with any cybersecurity implementation, end-user education is paramount, according to EDUCAUSE. Because 85 percent of data breaches are caused by human error, the organization notes, phishing training, password guidance and personal data protection best practices must be communicated to employees and students.

Otto Dettmer/Ikon Images