According to EDUCAUSE, the average cost of each data breach is $3.65 million, but the nonmonetary cost might be even higher. “The reputational damage caused by data breaches and cyber incidents is immeasurable and hard to recover from, as these breaches compromise an institution's image and erode trust among students, parents, graduates, donors and partners," notes an EDUCAUSE article.
These breaches aren't just ransomware. The 2024 SonicWall Cyber Threat Report points out that malware and phishing attacks are still on the rise. Even the classic denial-of-service attack still keeps IT managers awake at night, as evidenced by a February attack on Cambridge University in the U.K.
One of the big issues that university IT executives and their staffs must deal with are the ever-growing points of entry that a hacker can exploit, whether it’s via cloud services, third-party software or a growing number of devices that can access a network from all points. For instance, in September 2023, a vulnerability in the data-transfer software MOVEit made sensitive data at the University System of Georgia vulnerable, giving hackers access to information such as names, addresses, salary details and Social Security numbers.
Zero-Trust Security Policies Recommended for Higher Ed
This is why EDUCAUSE has recommended that higher education institutions consider implementing zero-trust security policies. This goes way beyond using multifactor authentication and keeping security software up to date, which more than 90 percent of the respondents to the Inside Higher Ed survey say they already do. Zero trust is a holistic approach to network security that works on the assumption that nothing that accesses the network, whether it’s inside or outside the firewall, can be trusted.
429%
The percentage increase in encrypted cyberattacks on the education sector from 2022 to 2023
Source: SonicWall, 2024 SonicWall Cyber Threat Report, February 2024
The term, coined by John Kindervag of Forrester Research in 2009, is based on the Russian proverb "trust but verify." Because a number of different cyberattacks start via trusted devices or applications and then move through the network, it’s not enough to trust something accessing the network just because it was authenticated the first time it logged on.
RELATED: Read the 2024 CDW Cybersecurity Report for more zero-trust insights.
Implementing zero-trust security policies is a multiyear process that requires a complete survey of how data enters and moves around an enterprise’s network. This means:
- Getting a complete picture of the devices that are inside and outside the network that require access (including devices like printers, which have become entry points for attacks in recent years)
- Figuring out the degree of access groups of users need
- Finding out all of the applications and software that access the network
- Tagging and classifying the data that travels over the network
- Segmenting the network to give users only the access they need
“Educational institutions should adhere to the principle of least privilege and ensure that individuals only have access to the necessary programs and data for their roles,” EDUCAUSE writes. “Institutions should also look into improving authentication, implementing centralized identity, managing third-party access, reducing the use of easy-to-hack passwords, and adding multifactor or biometric authentication.” They also suggest starting with areas that are high-risk or high-value, such as research projects with intellectual property protection needs, and piloting the policies there.
How Implementing Zero Trust Can Help Enterprise Security
Once fully implemented, a security infrastructure adhering to zero-trust policies should be able to have users, including unmanned service accounts, authorized and rechecked on a regular basis to get access to a network, and data and usage patterns would be constantly checked for anomalies. If an attack is still initiated, steps like data checking, network segmentation and other implementations should isolate it before it propagates throughout a network.
Given that all of this needs to be implemented with as little impact to the end user’s experience as possible, it’s a process that needs buy-in from all concerned parties within a particular institution and a lot of detailed planning. As with any cybersecurity implementation, end-user education is paramount, according to EDUCAUSE. Because 85 percent of data breaches are caused by human error, the organization notes, phishing training, password guidance and personal data protection best practices must be communicated to employees and students.