Tom Dugas, CISO, Duquesne University
Aquilla Hines, Threat Intelligence Specialist, Proofpoint
Doug Thompson, Chief Education Architect, Tanium
Nick DiDonato, Emerging Technology Lead, HashiCorp
David DeVries, SLED CTO and former State/Federal level CIO, Commvault
Randy Watkins, Chief Technology Officer, CriticalStart
Khalil Yazdi, Resident EdTech CIO, Carahsoft
The transition to remote and hybrid learning over the past few years has increased the need for digital and physical devices to support K-12 and higher education campus-wide operations. Unfortunately, this has heightened vulnerabilities for security breaches in schools. While online security strategies like a Zero Trust approach can be beneficial for institutions, those same communities often strive to remain an open and collaborative educational ecosystem. Balancing the creation of a secure and fortified digital campus while ensuring personal privacy and data, as well as physical security is challenging; however, there are many opportunities and methodologies for educators to keep their students and staff secure.
Carahsoft’s three-day EdTech Talks series concluded by diving into cybersecurity and what education leaders should know, best practices for meeting compliance requirements, data management strategies and tactics for acing cybersecurity with limited resources.
Cybersecurity: What Education Leaders Should Know Now
Since early 2020, there has been a surge in the need for digital transformation to accommodate emergency educational services due to the pandemic. Higher education institutions saw a meteoric increase in cyber-attacks and the cost of paying out ransomware, and therefore, cyber-insurance fees, have skyrocketed. Now more than ever it is essential for campuses to have a robust cybersecurity strategy in place.
Digital Transformation Within Institutions
Many organizations are deep into the process of digital transformation. Schools and universities are looking to achieve MultiCoud hybrid infrastructures to reframe the way they approach cybersecurity, which can be established through containerization, tracking user management, access tokens, hybrid workload models with secure networks and shifting from IP-based security to an identity-based security. These methods ensure trust is being granted on an individual platform and application basis instead of on a general perimeter basis within an institution’s digital environment.
Ransomware and Phishing
Phishing continues to be one of the most common attack vectors for ransomware and is increasing in its sophistication. Since 2020, attackers have leveraged COVID-19 themes, and now are targeting student loan forgiveness, building believable digital communications for users to click and open containing threats. While simple cybersecurity training is a productive start, it is not always the most effective solution to fend off all phishing attempts. With multiple gateways for phishing–email, SMS messaging, QR codes, etc.–trainings should be expanded to include all avenues of danger. Additionally, institutions should take a student-centric approach to trainings, focusing on who is most at risk of falling for these attempts and sending out tests that mimic students’ familiar digital environment.
The Changing Cybersecurity Landscape
Staying ahead of everchanging cybersecurity threats is vital for institutions to protect themselves from ransomware and other dangers. Artificial intelligence (AI), automation and upskilling IT talent are among the most successful solutions to implement in digital environments because they reduce the burden on already strained manpower. Leveraging AI to perform simple patches and reboots that bad actors continuously try to exploit allows IT teams to focus on the higher-level risks at hand and operations that require human intelligence. Additionally, giving IT employees opportunities to upskill their cybersecurity knowledge creates a more advanced team that can better support those higher-level solutions and improve their relationship with an institution for little to no cost with free trainings and programs widely available.
Meeting Compliance Requirements and Managing Data Differently
With an overwhelming amount of data held by educational institutions, data sprawl increases the surface for cyber-attacks. Security solutions alone may be ineffective, so proactive data management is key. On the educational front, many institutions utilize multi-cloud solutions, and it is imperative to understand that data responsibility remains with the owner, not the cloud-provider. Institutions must create a holistic management system by getting to know their data, cleaning it up, backing it up and maintaining healthy data governance.
An effective security strategy begins with critical leadership involvement to make security posture decisions. Organization members should agree on and align with a standard compliance requirement that will benefit them best, then hire and challenge the talent that will support the mission to achieve that compliance. This way, sharing authority, accountability and responsibility with a team and encouraging open communication becomes easier for ensuring progress. Lastly, minimizing the number of tools and automating as much of the process as possible will lead to a simpler and less costly road to compliance.
Acing Cybersecurity with Limited Resources
In the current landscape of cybersecurity expertise, talent can be hard to come by and harder to keep. With limited resources, institutions remain vulnerable to ransomware, phishing and unsecure operations. There are several risks plaguing cybersecurity teams in the education space, but there are solutions that an institution’s entire community can help support.
With the rise of remote learning and mobile communications during the pandemic, significant amounts of personally identifiable information (PII) were compromised during increased targeted attacks on education institutions. Recently, this valuable information is what attackers consider priority when executing a threat. Emails are a main source vector for bad actors to gain access to this data. To combat threats like these, institutions should build and utilize effective solutions.
Your need-to-know cybersecurity checklist:
- Leverage spam filtering to get rid of risky emails that could be phishing
- Consider augmentation with targeted digital solutions to further eliminate malice
- Educate and quiz students and faculty, who are the most susceptible to well-masked phishing attempts
- Make advancements in user awareness trainings
- Launch an internal campus-wide campaign to get the community talking about the best user awareness strategies
- Create a Student Security Operations Center (SOC) to assist IT teams with their daily activity and get students more involved
With many concerns at the top of educators’ minds, institutions must ensure they have the right tools, talent and technology to keep their communities remain safe and secure both on and offline.
Contributing experts from Tanium, Proofpoint, HashiCorp, Commvault and CriticalStart can help your organization understand and find the best-fit solutions for its unique needs in cybersecurity. Visit Carahsoft’s EdTech Talks 2022 resource center to view their on-demand recordings and learn more about the featured education technology providers.
*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at Carahsoft’s EdTech Talk Series 2022.*