Higher education institutions have been slower to adopt zero-trust principles than their peers in other industries, according to a new survey — findings that indicate colleges and universities are leaving themselves vulnerable to the continuing onslaught of cyberattacks.
The 2024 CDW Cybersecurity Research Report polled IT professionals in education, government, private business and other fields to gauge how prepared organizations are to defend themselves. And while 78% of respondents in the education sector (encompassing both K–12 and higher ed) were confident that they had sufficient visibility into their cybersecurity landscape, and 61% felt either somewhat or very prepared to respond to a cybersecurity incident, far fewer could attribute their confidence to the introduction of tools and strategies that align with zero trust.
Just 26% of education respondents assessed their zero-trust maturity level as advanced or optimal, while 38% were in the initial stages and 18% hadn’t started toward zero trust at all. Those numbers veer sharply from the overall survey findings: 53% of respondents across all industries were at the advanced or optimal level, and only 9% had not yet started on their zero-trust journeys.
“I’m not surprised to hear that organizations are in different places in their maturity levels when it comes to deploying zero trust,” says Stephanie Hagopian, CDW’s vice president of security. “Every organization is different. The vertical, the kind of compliance regulations you have to adhere to, what the drivers are for the business and what your risk tolerance is as an organization are all factors and play a part in where you are in your journey.”
Click the banner for more insights on how higher ed IT departments feel about cybersecurity.
What’s Behind the Struggle to Implement Zero-Trust Principles?
Higher education technology ecosystems are complex environments that are frequently segmented, decentralized and in need of modernization, so perhaps it’s no wonder that colleges and universities struggle to put together the kind of cohesive campuswide security strategy that’s necessary to approach zero-trust maturity.
The CDW survey asked education professionals which factors are creating the greatest headwinds, and the answer was a version of “all of the above.” With five options to pick from and the ability to select as many as were relevant, every answer received at least 29% of the response.
Nearly half of respondents said integrating legacy tools (49%), establishing an effective strategy (45%) and getting top-level buy-in (44%) were roadblocks. Those were followed by cultural resistance from users (38%) and not understanding the tools needed for zero trust (29%).
LEARN MORE: How colleges and universities can avoid zero-trust tool fatigue.
While understanding, assessing and modernizing legacy applications does pose a real challenge, Hagopian thinks some of the confusion and difficulties around zero trust could be solved with better communication and cross-campus collaboration that anticipates potential roadblocks before they arrive.
“In our experience working with customers at CDW, we’ve seen a lot of organizations struggle implementing zero trust because they don’t really have the right change management controls or communication levers in play,” she says. “There are a lot of business challenges and business process changes that have to occur when you’re rolling out a zero-trust program.”
What Zero Trust Tools Are Colleges and Universities Already Using?
The least-selected roadblock by survey respondents — a lack of understanding of the tools to use for a zero-trust framework — nonetheless reveals a troubling truth. Those 29% of respondents, primarily made up of IT managers and directors in their departments, represent a significant group of people in the education sector still getting their arms around what zero trust means.
Further proof of this came elsewhere in the survey, when respondents were asked about which tools were most helpful in cybersecurity initiatives. Among the most popular answers were multifactor authentication (with 83% either strongly or somewhat agreeing) and identity and access management (78%) — things that are already staples of a zero-trust architecture. IAM solutions are also a common first step into security automation, which is crucially important as university IT departments continue to struggle with staff shortages.
“Identity and access management drives a whole bunch of automation,” Hagopian says. “But with all the automation comes a need to set up the proper role-based access controls and create an RBAC model around this to ensure that the automation provisions the right level of access to the right systems to the right user.”
It’s also possible that IT leaders are reluctant to embrace zero trust because of how buzzy the concept has become among security vendors. But the truth is that zero trust is an old concept packaged in a new term.
“I think zero trust somewhat gets a bad rap because it’s become a buzzword,” Hagopian says. “A lot of people in a lot of organizations might say they have the solution for zero trust, but that’s not what it is. It’s a framework that’s based on some core tenets of security best practices that really have not shifted over the years, or even the decades.”
UP NEXT: When approaching zero trust, maximize the tools you already have.
