User error is a common cause of cybersecurity incidents. From a professor who inadvertently clicks a link in a phishing message and triggers a ransomware infection to a senior administrator who falls victim to a social engineering attack, IT professionals know that a single user mistake can have severe effects.
When the user making that mistake is an IT professional, the consequences can be dire. IT professionals possess the metaphorical keys to a university’s digital kingdom, and an attacker who gains access to an administrator’s account may be able to quickly compromise the entire organization’s network.
It’s easy to sit back and think, “Sure, but IT professionals know better. They’re probably the most careful employees at the university.” While that may be true, that doesn’t mean they’re perfect. In a recent Apricorn survey of IT professionals, 60 percent agreed that remote work conditions over the past year caused an increase in data security issues within their organizations.
Protecting administrative accounts from compromise should be near the top of the list of priorities for any cybersecurity program. Let’s look at a few steps universities can take to protect themselves against errors made by IT staff members.
EXPLORE: The checklist for avoiding zero-day exploit in higher ed.
Adopt a Zero-Trust Security Philosophy
Zero-trust network architecture (ZTNA) is an increasingly popular cybersecurity philosophy that boils down to one simple rule: Trust decisions should be made based on a user’s authenticated identity rather than the device or network that being used.
For many years, university technology teams made access control decisions based upon device or network location because it was the simple thing to do. It’s easier to grant an entire faculty network access to a file server rather than confirming the identity of each user.
This approach, however, falls short when a user lends out a device or a device is compromised by an attacker. Anyone gaining access to the device then has access to all the systems that trust that device. Adopting ZTNA shifts this mindset, requiring confirmation of the user’s identity at each session.
LEARN MORE: Understanding the zero-trust model can help prevent ransomware attacks.
Save Administrative Accounts for Administrative Work
IT professionals have access to privileged administrative accounts that allow them to bypass many security controls and modify security policies. These accounts are a necessary part of getting IT work done, but they also present a significant risk to the institution. If the wrong person get access to such an account, an attacker could use it to defeat many of the layers of security painstakingly built by cybersecurity teams.
For this reason, every IT professional should have two separate accounts: one for work requiring administrative access to systems and another for day-to-day tasks.
IT professionals should use the normal account for logging in to their computers, checking their email and other routine activity. They should only access privileged administrator accounts when necessary for a specific task and then immediately log out of that account when administrative work is complete. This approach limits the use of superuser accounts and reduces the risk that one of these accounts will be compromised.
Click the banner below for exclusive content about cybersecurity in higher ed.
Deploy Privileged Access Management Technology
Privileged access management (PAM) technology is an even safer way to handle administrative access to systems. PAM technology allows IT professionals to temporarily gain administrative access when they need it and then immediately revokes that access when it is no longer required. PAM also includes advanced monitoring capabilities that track the actions of administrators, watching carefully for signs of malicious activity or potential account compromises.
Deploying PAM on a university network is often a significant undertaking due to the breadth of systems managed by the IT team. Institutions may wish to consider prioritizing their most sensitive systems and limiting their initial deployment of a PAM solution to the areas where it will reduce the most risk.
FIND OUT: How IT can use Intel vPro to help remote management.
Automate Routine Administrative IT Tasks
People make mistakes. Even the most careful IT professional occasionally makes an errant click of the mouse or mangles an account ID. If that mistake is made while granting a user access, configuring a firewall or conducting some other sensitive security activity, the mistake may open a vulnerability that allows an intruder into a university’s technology environment.
Most IT organizations these days are pursuing automation efforts in the hope of reducing the burden on their already overworked teams. These automation efforts can also reduce the likelihood of critical errors by allowing algorithms to handle repetitive tasks in which a human might make an error.
As university technology teams deploy automation capabilities, they should look for opportunities to include critical administrative IT tasks in those projects.
DISCOVER: 5 questions to ask when evaluating cybersecurity assessments.
Educate IT Professionals About Their Responsibilities
Technologists are, generally speaking, a confident bunch. They possess advanced technical skills and are proud of the value that they bring to organizations. This attitude, however, can sometimes lead to situations where technologists cut corners to save time or have unwarranted confidence in their abilities.
Technology leaders should ensure that every IT professional in the organization understands his or her job duties as well as the security responsibilities associated with those duties. Leaders should also work to build a culture where technologists know that they’re not expected to have all the answers at their fingertips and that they can ask teammates for help when they need it.
IT professionals are among a university’s most trusted employees, and errors they make can have devastating consequences. Technology and cybersecurity leaders should take preventive steps now to reduce the likelihood and impact of serious errors.
