In the thriving underworld of the dark web economy, data is where the money is, and higher education has lots of it. That was the message of Joanne Martin, who delivered the keynote address on Tuesday at the 2018 UBTech Conference in Las Vegas.
Martin, the founder of JLM Consulting, spoke on “The Next Generation of Cybersecurity: The Changing Threats and the Evolving Technology.”
Valuable campus assets include not only decades’ worth of staff and student personal information, but also financial information, healthcare records and a vast trove of research data that includes intellectual property, corporate records and other attractive data.
Prep for Internet of Things with Strong Data Governance
“Technology is changing who’s attacking us, it’s changing how they’re attacking and it changes how we can go about fixing it,” Martin said.
She pointed to ransomware as an example of a new threat that has grown quickly. By one measure, she said, the number of such attacks jumped more than 2,000 percent in 2017. But that’s far from the only source of trouble in higher education, which Martin said is the third-most attacked industry after healthcare and financial institutions.
The reason, she said, comes back to data: “If I can sell it, steal it, use it — if I can bring your learning management system to its knees and tell you that you have to pay me money to bring it back, I’m going to make money.”
And with a single higher education record worth $265 on the dark web, there’s a lot of incentive for hackers to find and exploit vulnerabilities on campus networks. The risks of an attack, Martin said, include not only business and reputational damage, but also website defacement, espionage, theft of intellectual property, crippling Distributed Denial of Service attacks and malware of many stripes.
As if existing threats aren’t enough, Martin said all the smart devices that are part of the Internet of Things will bring a new wave of vulnerability to campus. Lacking a new market of security products specifically designed to bolster IoT security, she said, IT leaders will need to go back to basics: access controls, with extra security protecting the most valuable data; centralized data governance policies; robust identity management programs; and due diligence on network devices.
For example, IT leaders should inventory the connected devices already in their environments and, going forward, ensure they are involved in the purchase of new devices, Martin said. They also should help staff and students understand how to adjust protection settings on their own smart devices.
Develop Risk Management Culture and Incident Response Plans
Most important, however, is establishing a culture of risk awareness and education throughout the institution, Martin said.
“The No. 1 absolute is culture, training from top to bottom,” she said, emphasizing that training should apply to everyone from the president on down. “No one is exempt.”
If certain staff are exempt, she said, those are the users who will be targeted because of their weak defenses.
Given the prevalence of attacks, she said, institutions also need to prepare for the likelihood that they may one day be a victim of an attack and engage in incident response planning accordingly.
“You’ve got to know what you would do on day one if you walk into your office and you’ve been compromised,” Martin said.
Integrated Security Platforms Are on the Horizon
Among technology vendors, one trend that bodes well for improved data security, according to Martin, is that products are moving away from silos, with each product designed to address a particular piece in the IT stack. Now, she said, vendors are developing platforms with integrated capabilities that give IT staff much better visibility across their systems.
“[The information] starts to come together,” she said. “They’re wider, they’re deeper. This does not mean the old technologies and old companies are going away, but they’re morphing into these broader protection platforms.”
Also coming, she said, are two new capabilities: security operations analytics and reporting engines (SOAR), which help to automate responses to security incidents, and user and entity behavior analytics (UEBA), which leverage machine learning and advanced analytics to establish typical user behavior and alert to potential anomalies that could indicate a breach. Splunk, for example, recently acquired Phantom, a SOAR, and Caspida, a UEBA, Martin said.
Such tools will be especially useful for small IT teams, helping them make the shift from simply collecting data to transforming it into actionable information that supports a security strategy.
“What’s happening is a movement to a whole ecosystem,” Martin said.
For more UBTech coverage, check out our events page.