Feb 24 2023
Security

It Takes More Than Technology to Secure Your Institution

Teamwork, training and tech must come together to protect networks from cybercriminals who continue to target colleges and universities.
Tina Thorstenson headshot
by

Tina Thorstenson is vice president of the industry business unit and executive strategist at CrowdStrike, where she provides strategic cybersecurity advisory services for organizations across all industry verticals. Prior to joining CrowdStrike, she served as CISO and deputy CIO at Arizona State University, capping a career of IT and security service spanning more than 28 years.

Andy Viano headshot
by

Andy Viano is a journalist and editor at EdTech: Focus on Higher Education.

Every IT department in higher education is focused on cybersecurity. For years now, colleges and universities have been subjected to cyberattacks, and as long as institutions continue to be storehouses of massive amounts of student, research and staff data, they will continue to be targeted.

Over time, higher education institutions have gotten a little better at defending themselves. They’ve beefed up their security protections by incorporating new technologies and they’ve gotten better at identifying different types of attacks.

Unfortunately, cybercriminals have also grown wiser, and have rolled out new tactics to penetrate networks and secure their ransom demands, including through double-extortion campaigns.

Double extortion is a common strategy for cybercriminals to steal data to share on data leak websites. CrowdStrike noted an 82 percent increase in ransomware-related data leaks in 2021, underscoring the growing prevalence of these threats.

Protecting against these threats has been further complicated by the flood of technologies now used in higher education, a transition that was sped up considerably by the COVID-19 pandemic and a widespread shift to online and hybrid instruction. It also includes tech that powers smart campuses, enhances physical security and even bots that answer questions about financial aid.

Click the banner below to stay updated on security issues in higher ed by becoming an Insider.

Security Insider CTA Security Insider CTA — mobile

The more technologies we continue to use, the better higher education must be prepared to secure that tech. Trying to bring any new technologies into the fold without considering the security risks is a recipe for future disruption.

It’s also no longer enough to rely solely on security technology to keep networks secure. Staff must be trained to use the latest tools and keep them updated as threats evolve.

Securing a college or university in 2023 is a complex problem that demands innovation, expertise and an openness to change.

Teamwork Is Key to Tech Implementation in Higher Ed

Focusing on innovation challenges the norm in a positive way.

I learned this firsthand as a technology buyer at Arizona State University, a school that has topped U.S. News and World Report innovation rankings for seven years running. I made an effort to avoid spending money on products that would just sit on a shelf, something IT execs call “shelfware.” It also became clear that purchasing technology without security was irresponsible, and ineffective at stopping breaches. We created a plan to fully fund both the technology and the expertise for any initiative we wanted to pursue.

LEARN MORE: Universities share lessons learned from ransomware attacks.

When bringing in a new service, it isn’t enough to just buy the tools, or to only hire staff without providing them the tech they need to do their jobs. Schools must commit to both: best-in-class security technology and people to implement, operationalize and enhance these tools as required.

At ASU, we implemented an IT rationalization initiative: Each year, we went through a list of every asset with a security implication, no matter where in the organization it existed. We followed these assets closely to ensure security features were implemented, and each year we revisited these crucial questions:

  • Why do we have this software?
  • What can we do to fully implement the licenses we have?
  • Do we need more people to support this product?
  • Do we need this technology?
  • What do we need that we don’t have?

This type of process can give schools a broad view of security across the organization and allow them to adjust strategy as their needs and tooling evolve. It isn’t possible without the right products and expertise, which is exactly what today’s colleges and universities need to strengthen defenses.

As institutions continue to face security threats, funding technology without proper protection is a recipe for disaster. Colleges need security tools and trained staff to defend against advanced attacks.

READ MORE: What’s new in SIEM for higher ed InfoSec teams?

Tips for IT Teams Working to Secure Higher Ed Institutions

Creating a culture of cybersecurity awareness is essential to every university’s success. Within that risk-based approach — and the governance and architecture conversations that go along with it — a few key recommendations continue to prove invaluable as we build and maintain capable, effective security teams.

  • Refocus your tech funding. Colleges and universities sometimes lack resources to acquire technology and build out enterprise-grade security strategies. Create an IT rationalization initiative with your team and examine the products you’re using. Are there opportunities to use open-source products instead of paid software? Is there space to reallocate existing funds to a tool that would provide greater value?
  • Be ready to act. If an incident occurs, the only thing you can control is your response. Organizations are largely judged not by the attacker’s actions but by how they respond to a crisis. Put together an incident response plan; it is the most important step you can take as a security leader.
  • Protect your identities. Secure service and admin accounts with multifactor authentication and adopt a zero-trust approach in which you verify the user to access key systems and resources. Ensure that only known entities can connect to your school’s environment.
  • Practice good security hygiene. Ensure software is properly configured, eliminate unnecessary software and stay up to date with the latest patches. Sometimes, adopting software that’s easier to maintain is the best path to proper security hygiene.
  • Control remote access. Avoid exposing server message blocks and remote desktop protocol ports to the internet and restrict the use of remote access tools. Controlling remote access is a comparatively simple precaution, but it continues to be an area where schools and universities could improve.

Higher education institutions face more cyberattacks than some other industries but often have less funding to fight them. There are many cybersecurity resources and experts offering advice for anyone in the education space seeking to learn more about improving their security posture and responding to attacks.

Laurence Dutton/Getty Images

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now