Security

Q&A: Amid New Risks, Colleges Must Prioritize Valued Assets

SonicWall's Bill Conner discusses current vulnerabilities in higher ed security.

Amelia Pang is a journalist and an editor at EdTech: Focus on Higher Education. Her work has appeared in the New Republic, Mother Jones, and The New York Times Sunday Review, among other publications.

Higher education’s move to remote learning and operations has altered the cybersecurity landscape, creating new vulnerabilities that hackers have adapted to attack. EdTech spoke with Bill Conner, president and CEO of cybersecurity firm SonicWall, about some of the factors that make higher education a unique target, why ransomware can be so dangerous and how colleges should be approaching risk management.

EDTECH: What are some of the cybersecurity challenges facing colleges today?

CONNER: In this new normal, with education online, institutions are much more vulnerable. They’ve got students at home as opposed to in class, so extending the network to the home creates a wider attack surface. In higher ed, and in particular for research institutions, there is valuable intellectual property at stake. Bad actors are going to attack it either for dollars — clearly, ransomware is getting paid globally — or for intellectual property, especially around technology, healthcare and pharmaceuticals.

EDTECH: What strategies can help institutions protect themselves?

CONNER: The first piece is to recognize the differences that now exist. How do you rearchitect your security network for this extended, distributed network? Colleges have been a service provider because they’ve got these departments that we can think of as similar to lines of business. Now, you’ve got to think of those lines of businesses as different risk sectors: If you’ve got research in technology, pharmaceuticals or healthcare, you’re code red.

You need to focus on that high-risk group — the professors, the lab assistants and even the students — and make sure they are properly vetted, almost like you would any employee, in terms of what they have access to. Then, you need to layer in security from the extended network, starting with endpoint security and authentication. You need to look at home networks and the Wi-Fi they’re using. Are they contaminated, or can you put in secure wireless?

People are using cloud apps more, so you need to make sure that is protected. Then, you need to look at the access networks, VPN and secure mobile access to make those are as secure as you can get them. You need to be able to look at your email and PDFs, because if people are coming in through spearfishing, which they are, that’s the easiest way to get into the network, take intellectual property or create ransomware opportunities, if that’s the objective.

What I strongly encourage is to layer that extended network and look at it in a prioritized fashion, knowing that the attack surface is infinitely large now.

CONNER: I would never recommend paying. Almost every security agency says not to do it, but every situation is different. What I would say is that just because you pay, it doesn’t mean you’re going to get your information back, because so many of these attacks are malware cocktails. Increasingly, ransomware is used as a Ransomware as a Service, meaning you go onto the deep web and you buy a ransomware package, and the sellers will ensure that you get in.

What they’re doing is making these ransomware cocktails out of bits and pieces. The problem is that whoever unleashes that ransomware on you may not have all the keys to unlock it back to you. Of course, you also don’t want to set a precedent of paying, because they will come back to you.

Instead, you should be backing up. Everyone has heard that, and it may be hard to do, but it’s critical that you do that, encrypt it and protect it.

EDTECH: Is there anything else institutions should keep in mind?

CONNER: The key thing I see is that the vulnerability and attack vectors are much wider now. Given limited resources, be it human capital or expense, you’ve got to think strategically in terms of risk to your institution. You’ve got to prioritize your most valued assets, much like a business does.

Getty Images/Monsitj