Sep 30 2020

COVID-19 Brings Cybersecurity Risks and Opportunities

EDUCAUSE Cybersecurity Program Director Brian Kelly discusses how the pandemic has affected higher education in 2020.

It was almost to be expected: Shortly after COVID-19 forced much of the United States into hibernation, universities around the nation began experiencing an uptick in cybersecurity threats. There are, after all, few things a cybercriminal appreciates more the opportunity to capitalize on chaos. For cybersecurity professionals, this has raised a critical question: How can they enable their faculty and staffers to continue learning and teaching while still protecting the security and privacy of their university’s network and all the valuable data it contains?

In this interview, EDUCAUSE Cybersecurity Program Director Brian Kelly discusses the cyberthreats affecting universities during COVID-19, his thoughts on higher education’s response so far and how the cybersecurity events of this year could shape the future.

LEARN MORE: Get the Defense-in-Depth strategy checklist.

EDTECH: What are some of the biggest threats you’re seeing for higher education as the COVID-19 pandemic continues to unfold?

KELLY: As a cybersecurity professional, you never want to say everything is fine and feel like you’re jinxing yourself, right? What we did through the spring and summer within higher education — and especially within cybersecurity — was really to enable learning, whether that means hybrid learning or coming back to campus.

One of the things that I like to say — and I can’t take credit for it, because it came from one of my peers — is that information security used to be “The Office of No.” The chief information security officers on campus used to be the one who told people, “No, you can’t do that,” or “No, you’re not doing that securely.”

But culturally what we see — not only this year but over the past couple of years — is a shift to trying to become the Office of K-N-O-W. We want to say, “We want you to know how to do something securely.”

MORE ON EDTECH: Learn about higher ed's new approach to pandemic cybersecurity.

We’re seeing the fruits of that shift now, with this transition. Think back to what feels like a lifetime ago, in the spring, when everybody so quickly went from being on campus to learning online. From a cybersecurity perspective, we had already started to change the culture around how we operate. We could enable that transition so that information security wasn’t perceived as a roadblock.

We can’t do this alone. Information security and cybersecurity is a team sport. I think that’s really what helps provide the foundation for where we are today and how we’re able to enable our campuses to do the things that they’re doing, whether that’s doing contact tracing securely or remote learning securely. All of those things didn’t just happen in the past six or eight months. They happened because we’ve been collaborating on them before COVID-19.

EDTECH: Do you think this is a permanent cultural shift, or will things go back to “normal”?

KELLY: I think it’s a permanent shift. I think 2021 will be a bridge back to some normalcy, or at least what we were familiar with pre-COVID, but a lot of what our community is talking about now is this idea of transformation. We’ve transformed over the past eight months in terms of how we do all of the information security things that we used to do on campus.

There’s also a transformation in how we operate our security infrastructure. Our teams that typically would work on campus are now remote. Our faculty, students, and staff — along with their devices, their laptops and their phones — are not connected to our campus networks anymore. They’re using their home internet service providers, so we’ve had to evolve and learn from each other how to secure devices in remote places. It’s been a really transformative and evolving year, but I think we were able to do it because of the connections and collaborations that we have with each other. No one had to figure it out on their own. We were all learning and sharing best practices, from large Ivy League schools to smaller community colleges. That collaboration moves between both ends of higher education.

EDTECH: You talk a lot about collaboration and sharing best practices. Who are the most important players that these teams should be sharing information with?

KELLY: I think what we look for is being able to engage and communicate up through campus leadership — not only your chief information officers, but your president, your provost, your board of trustees. It’s about making sure that we’re communicating not only about threats but also what we’re doing and how we’re enabling the business of the institution. Within the community we see that conversation happening between institutions, with information being shared laterally.

As a former chief information security officer, I always advocate that you have to let your teams know what’s happening within your security strategy. What threats are we seeing? What initiatives and business processes will we have to support and secure? Then, also talking within our campus community — faculty, staff, students and parents — and making sure they know that cybersecurity is everyone’s responsibility, and that we all have a shared role in that.

We do that through awareness campaigns that empower our community to recognize threats and to react and defend against them. It shouldn’t be thought of as, “Well that’s the CISO’s job.” We want to make sure that everybody feels like they’re contributing to good cyber hygiene on campus.

READ MORE: To better protect student data, know the difference between security and privacy.

EDTECH: What do you think about higher ed’s response to COVID-19’s latest threats so far? Has it been effective?

KELLY: Yes. We did a QuickPoll back in the spring around how COVID has changed security within our institutions. While the responses showed that it’s become more difficult, we’re also still able to do it right, and I think we’re doing really well around awareness training, outreach and communications.

Email filtering is something that we think about for spam and phishing attacks, and those are still things that we’re fighting against, but we’re ready for that. Data loss prevention is another area where we have to think about sensitive data on endpoints. These are all areas that we’ve worked on for a while, and because we were covering them prior to COVID-19, they weren’t impossible. Yes, COVID-19 made them a little bit more difficult to execute on, but we weren’t unprepared.

MORE ON EDTECH: Here's 3 ways artificial intelligence can improve campus cybersecurity.

EDTECH: Are there any other areas that are particularly vulnerable to cyberthreats?

KELLY: I think you always have to be on guard. The work will never be done, so continued vigilance is important. Our role here at EDUCAUSE is really to listen for those things that we need to guard against and then make sure that we’re communicating the latest threats and trends to our members. We also are taking in where our members are solving a problem or doing something really well and sharing that with our community.

I think everybody is vulnerable. Part of it is that we’re busy. Everyone is busy, and that sometimes works in the adversaries’ favor. It’s not that one person might be more vulnerable, it’s just that maybe they’re not paying attention. When we talk about cyber hygiene, and you’ll hear this time and time again, we talk about making sure systems are patched and making sure that applications are up to date. There’s that list of things that you want your end users to think about, but I don’t know that any one class or group of individuals is more at risk.

MORE ON EDTECH: Learn how higher ed chief privacy officers and CISOs can boost student privacy.

EDTECH: How can IT departments better work with their end users to educate them?

KELLY: It’s about messaging them where they are. When we were all together on campus — I’m sure they’re still doing this — we’d use signage and message boards. A lot of our institutions are creating apps or using National Cybersecurity Awareness Month messaging on Facebook, Twitter and Instagram to reach users where they are. We talk a lot about NCSAM in October, but this is an evergreen campaign, and that’s why our EDUCAUSE cybersecurity awareness campaign is 12 months. We don’t want to just be thinking about cybersecurity in October; we want everyone to think about it throughout the year. For campus IT professionals, this awareness education is part of what you do every month. You bake it into events so that it’s part of the culture. You improve user awareness of security or cyber hygiene through awareness and engagement.

monstArrr_/Getty Images