Q&A: Selecting the Right Cybersecurity Tools for Higher Education

EDTECH: Why don’t the security methods many universities use work well enough to prevent cyberattacks?

STEMPF: Security is very reactionary — we react to things that bad actors have done. We can prepare for all of the known exploits, but there will always be new, undiscovered threats. These unknown threats are typically called zero-day exploits, exploits that nobody's ever seen before. This is why you can’t prevent your way to success. Only through real-world, chaotic testing can you prepare yourself for when an attack inevitably happens.

Ultimately, we're playing checkers while the bad actors are playing chess. Its asymmetric warfare, and the odds are against us. Unless organizations change their game, they’ll always be one step behind. The attackers are more advanced, better trained and funded, and very motivated. That's hard to compete against that when organizations are constantly dealing with tight budgets and staffing issues.

It’s a sports game. In order for them to win, they only have to be successful one time. In order for us to win, we have to be successful 100% of the time. 

EDTECH: How does the recovery process work after a cyberattack, and how does it relate to disaster recovery?

STEMPF: Most people don't understand that disaster recovery is not the same as cyber recovery. If a tornado hits one of your buildings, you've probably already planned and have a second building that you're doing replication to; you can just come back up with that second building. It might not be as fast, but you can limp along because the tornado is not going to do anything nefarious to your data. It's simply wiping out a site.

In a cyberattack, you must question everything you know. You need to question your data, your network, your servers — everything is suspect. 

WATCH: Companies like Commvault are redefining data protection in higher education.

EDTECH: How long does it take to recover from a cyberattack?

STEMPF: Minimum recovery from a cyberattack takes, on average, 24 days; for a full recovery, it’s months to years. Most people have the unrealistic view that you can start recovering immediately after an attack, but that is the worst thing you can do. Without first doing your proper due diligence of forensic analysis, working with your cyber insurer and knowing your blast radius, you have a higher chance of reinfecting your environment. If you immediately start recovering after a cyberattack, there's one thing I can guarantee: You're going to reinfect your environment, period.

Most people think that when the encryption event begins, security alarms are triggered. Instead, someone typically stumbles across the ransom note on one of the servers. Then you have to invoke your incident response plan, deal with your cyber insurer and perform forensic analysis, all before you start your recovery. 

EDTECH: What things should organizations be doing during the recovery process?

STEMPF: The No. 1 thing organizations should do during recovery is focus on the cleanliness of the data. All too often, organizations are worried about the speeds and feeds of a recovery, focusing on disaster recovery concepts such as recovery time objectives and recovery point objectives. Disaster recovery handles predictable events — things like natural disasters or hardware failures — which aren't intentional and do not actively target data. In contrast, cyber recovery tackles malicious attacks such as ransomware or data breaches, where attackers actively try to harm systems and corrupt data.

Every single cyberattack is unique. You could lose all of your machines or only a random handful. The challenge is that you can’t set a time frame for how long forensics will take, or know what the impact of the cyber insurer will be, or even guarantee having a clean place in which to recover the organization.

Understand that cyberattacks aren’t what they used to be; this isn’t an amateur sitting in a basement. These attacks are being perpetrated by organized crime and are used to fund other illegal activities. Institutions are not only being asked to pay to recover their files; the attacks are moving to a triple-extortion method: demanding payment from organizations to decrypt files, payment to prevent the release of sensitive data, and extorting individuals whose information was stolen during the attack.

READ MORE: How to manage data exfiltration risks with open access in higher ed.

EDTECH: How has secrecy around cyberattacks delayed progress in prevention and recovery?

STEMPF: Cyber recovery has been a point of embarrassment for companies and institutions. No one talks about what happened during their breach because it's embarrassing to their brand. This secrecy has led people to believe that cyberattacks are not as frequent or widespread as they actually are. It has also hindered the industry’s ability to define best practices and to incorporate lessons learned from others.

This is why, at Commvault, we are creating an educational program called Commvault College that will educate organizations on the processes, best practices and methodologies for cyber recovery. Commvault College will be available in October 2024.

EDTECH: What steps can higher education institutions take today to ensure they’re prepared to recover from a cyber incident?

STEMPF: Test, test, test. For years organizations have tested their disaster recovery plans, yet very few are testing cyber recovery plans, which is the most critical thing that can be done today.

Start testing your cyber recovery plan. Take that plan into a tabletop exercise. From there, execute a true cyber recovery in a clean room. Clean-room testing provides a feedback loop into the cyber recovery plan, which then leads to another tabletop exercise, which leads back to another clean-room recovery.

So, what are tabletop exercises, and why haven’t they been helpful? A tabletop exercise is when you get IT and security teams into a room, and you role-play recovery after an attack, walking through it, trying to determine the issues that would arise.

The problem is, these have become very cookie-cutter and are typically done under ideal conditions. It’s scheduled twice a year, and it’s two and a half hours. You walk in, there are donuts, there's coffee and it's all scripted. Everybody knows exactly what's going to happen. These are the 15 machines that were bad and what we’re going to do.

So, what I typically do is, I walk in, I look at the room and I say, “You four, get out.” And they're like, “What? That was the backup admin. Why are you kicking him out?” It’s to create the chaos of a real-world scenario.

DISCOVER: In cybersecurity planning, don’t overlook the value of tabletop exercises.

Remember, these are criminal organizations. It's very easy to find out who does what at an organization. We have seen bad actors follow the backup administrator’s child to school, take a picture of them on the playground, and send it to them before the attack, saying, “Don't go to work for the next week.”

That's why, when I go into the room, I kick people out. It’s chaos. The more chaotic I can make it, the better it is. If we practice in a more realistic fashion, then no matter what type of attack comes in, we will be that much more prepared to deal with it. 

EDTECH: Any other key takeaways for higher ed administrators?

STEMPF: There are two types of organizations in this world: those that know they've been breached and those that don't know they've been breached. 

In years past, they used to say, “If you get hit, the best way to recover is through the use of data protection.” Then the FBI changed it to “when you get hit.” And now they've changed it again, and it's “how often will you be hit?” The most important defense for any organization against ransomware is a robust system of backups.

Brought to you by: