The council identified the top 10 issues with gaps between goals and performance, and then assigned risk and priorities. One key area was security awareness training.
“Our users are really smart people, but we’re just one double-click away from someone installing ransomware that would encrypt every file they have access to,” says Bowen.
Another critical element is an incident response plan that’s practiced at least once a year, he adds. Recently, F&M augmented its plan with some of the philosophies behind the Federal Emergency Management Agency’s National Incident Management System, to improve communication and the effectiveness of response efforts.
“As security people like to say, it’s not a question of whether you’ll be attacked, it’s when,” says Bowen. “Everybody is a target, even smaller schools like ours.”
The Cybersecurity Risks and Vulnerabilities Unique to Universities
Universities’ security needs are much like those of other large enterprises — with a few key differences, says Kim Milford, executive director of the Research & Education Networks Information Sharing & Analysis Center. Headquartered at Indiana University, REN-ISAC serves as a computer incident response team for its more than 600 member institutions.
A 2016 threat analysis by REN-ISAC and the Department of Homeland Security found that colleges and research centers are slightly more likely to be victims of intellectual property theft and denial of service attacks.
At the same time, universities have far more complex environments to protect than even big businesses, with offices, classrooms, convention centers, sports arenas and even their own power plants. There are also greater demands on the budget available to pay for it all.
“We’re constantly balancing the risk of information security with other very real risks,” says Milford. “Are our classroom buildings in good repair? Do we have enough enrollment for the coming year? Is our faculty aging? If so, what can we do about that?”
Like F&M’s Bowen, Milford says user education is central to a secure campus.
“It’s easy to plug in automated controls or implement two-factor authentication,” she says. “But not training users on what to look for in a phishing attack makes them more vulnerable at home and on different computers, which leaves us all more vulnerable.”
Elgin Community College Simplified Its Firewall Protections
At Elgin Community College, limited resources are a fact of life.
Located 30 miles west of Chicago, the college serves roughly 15,000 students and 1,600 staffers and faculty. With just seven IT employees to handle the college’s server maintenance and network architecture, Elgin needed to streamline its security posture, says Information Security Officer Bill Forg.
To do that, Elgin had to resolve two issues. First, its firewall was nearing end of support and needed to be replaced. Second, the network used multiple firewall devices, each of which had to be configured and updated individually, putting a strain on the team’s limited resources.