The former executive director of the National Cyber Security Alliance shares his advice on minimizing risks. 

Oct 19 2021

Q&A: Kelvin Coleman on the Tactics Most Likely to Keep Data Secure

The former National Cyber Security Alliance executive director sees best practices and robust education as the path to data privacy and protection.

Distance learning and hybrid classroom environments have been increasing for years, but the pandemic put them into overdrive. EdTech: Focus on Higher Education spoke to Kelvin Coleman, until recently the executive director of the National Cyber Security Alliance, about persistent threats and how to keep campus communities engaged in data security and privacy.

Click the banner below to get a free checklist on preventing and remediating zero-day exploits.

EDTECH: What drew you to cybersecurity?

COLEMAN: I was always very attracted to team sports. This is the ultimate team sport. The alliance works with the private sector — all the way through down to the mom and pop shops, all the way up to Fortune 500 companies — and with government: federal, state and local. 

That has always been very attractive to me, to convene folks so that we can solve problems. My favorite athlete and a fraternity brother of mine, Michael Jordan, would say, “Talent wins games, but teamwork wins championships.” 

EDTECH: Distance learning was growing before the pandemic, but it has exploded over the past 18 months. Given that, how important is it to educate faculty on data privacy measures?

COLEMAN: Schools all the way down to preschool, these days, are leaning on technology use more than ever. COVID-19 certainly expedited that and gave it new life. For a lot of schools, accessibility of information was the first order of business. Security wasn’t necessarily top of mind. They wanted to make sure teachers, students and parents were able to access information, but they didn’t really think about security, for the most part. 

Now, we already have seen massive school breaches this year, some of which have forced institutions to temporarily cancel classes. As colleges use technology more and more, online safety needs to be in the spotlight.

EDTECH: What are some ways data privacy regulations can be violated, even unknowingly?

COLEMAN: What we’ve seen primarily is the compromise of personally identifiable information. These days, bad actors are not necessarily saying, “Hey, send me a check for X amount.” What they’re doing is compromising personally identifiable information: Social Security numbers, driver’s license numbers, credit card information. Those things are very valuable on the dark web. 

That’s why it’s so important for colleges to protect this information, and that’s what we see compromised publicly. Bad actors are making calculations in hitting a college. They’re thinking, “These are probably kids from families who have assets and have wealth to them.” The target-rich environment is something they’re very careful about choosing.

Click the banner below to see CDW's roadmap for a multifaceted cybersecurity program.

EDTECH: What steps can universities take to minimize the risk of student data theft? 

COLEMAN: Several things, and I always say they’re not terribly exciting but they are incredibly effective. I recommend using a password manager. Passwords themselves are still very important. Some people may think they’re out of fashion. No. Passwords are still very, very important. 

The other thing we tell people is to make sure you enable or employ multifactor authentication. If passwords act as a lock on the door — and certainly there’s no guarantee, but it gives you more safety than having the door unlocked — then multifactor authentication is the deadbolt. It gives you that much more protection. Cyber bad actors are just like any other bad actors: They’re lazy. They want the easiest way possible to enable their nefarious intent. 

Another simple step: Don’t hesitate to update. So many breaches occur because folks haven’t updated the patches on their systems. Running anti-virus software is still important; it never was not important. 

All those things are on the technology end of it, but in an academic setting, physical proximity is important as well: professors’ offices and things of that nature. Make sure they maintain a secure workplace. On campuses all over our country, we must be able to maintain a secure workspace to protect that information. 

EDTECH: What are some common types of cyberattacks universities and remote learners could experience as classes resume this fall?

COLEMAN: I think ransomware is still going to be prevalent, and phishing is still a very real threat — in fact, a top threat. Spear-phishing will continue to be big, as will be whale-phishing, or targeting the president of the university and trying to get her information. We must make sure we’re convincing university leaders that they have to set the tone at the top, so everyone else can follow their lead. Bad actors are using all those methods and using them at very high rates.

EDTECH: When it comes to policy, where are current student data privacy laws lacking? Are there things that you’d like to see change?

COLEMAN: I don’t think laws, regulations and mandates work as well as good old-fashioned education and awareness. If I say, “Smokey Bear,” you would probably say, “Only you can prevent forest fires.” If I say, “Click it or …,” most people say “ticket.” 

These all came from intense, robust campaigns to educate people on how to be safer. That’s what we need in cybersecurity. We need a national public service announcement campaign. Let’s do massive outreach and awareness to students. I think this message will resonate with them in a major way, and that would be protection that would follow them beyond the classroom.