1. Create a Solid Security Foundation Designed for Continuous Improvement
A budget, management support, tools, properly trained IT personnel: All of these are required to run a successful cybersecurity program and are easier to achieve when they’re fully integrated into the broader business goals of the institution.
“It’s much cheaper and more effective to have security planned in at the very beginning,” Schreiber says in the webinar.
A continuous improvement mindset is critical for cybersecurity, he says, “because technology is constantly evolving,” and security cannot be approached with a static strategy.
MORE ON EDTECH: Learn more about COVID-19 cybersecurity risks and opportunities.
He recommends that IT departments conduct tabletop exercises with staffers who will be involved in incident response to prevent people from “learning in the heat of the moment during a major cyber event.” Then, be sure to incorporate the lessons learned into security plans and procedures. Consider hiring a third party to conduct penetration tests and other assessments that can help staffers identify and strengthen any potential weaknesses in the security environment.
2. Understand the Biggest Threats for Specific Campuses
To minimize risk exposure, security teams must fully understand the specific threats and vulnerabilities in their institutions. Depending on various factors — the nature of academic research programs, for example — some of these risks may differ among peer institutions.
Operational cyberthreats include personnel turnover and equipment failure and can be prepared for with staff retention and replacement plans and a business continuity plan. Environmental threats, such as geopolitical and regulator factors, may be out of colleges’ control, but can still impact risk. When countries target other countries, this may “trickle over to the kind of cyber activity you’re facing,” Schreiber says. Active threats, of course, include external or internal attacks that require well-layered defenses.
MORE ON EDTECH: Download this white paper to understand effective incident response.
Security teams, together with any campus staffers who have a role in data privacy, also need to stay aware of pertinent regulations, such as the General Data Protection Regulation and the California privacy statutes.
3. Expand Threat Intelligence Resources and Leverage Them Effectively
Threat intelligence helps institutions prioritize, Schreiber notes. “You know where to focus and what risks are most important to plan around, as opposed to a generic plan,” he says. He refers to the “Pyramid of Pain” as a model for applying threat intelligence to detection and response. “You aren’t just blocking one specific aspect of the attacker; you are disrupting their tools and training. If they find a challenging target, they’ll move on to an easier target.”
Colleges should ask the following questions to apply various threat intelligence layers more effectively to security programs:
- Indicators: Do security tools leverage accurate and up-to-date threat indicator data? Even the best indicators won’t be useful if that information isn’t embedded into the tools that have been deployed. “Indicators get stale very quickly, so you need to make sure vendors are keeping it up to date,” Schreiber adds.
- Context: Do analysts have instant access to context about each threat alert to improve triage? How hard is it for analysts to tie alerts back to the source?
- Insights: Do staffers have the information they need to understand a new threat and what its impact might be to the institution?
- Expertise: Do staffers have timely, accurate information to adjust and update strategies based on what security threats are out there and to defend against new threats? How will IT leaders share this information with board members and other stakeholders? Can leaders effectively communicate how threats affect the institution?
Finally, don’t forget about peer-to-peer networks and free or low-cost threat intelligence resources such as the Multi-State Information Sharing and Analysis Center. Take advantage of annual threat reports, such as those from Verizon and FireEye, and check with current vendors to see if they offer any threat assessment services or other resources.