Chief information security officers are grappling with a variety of issues as they try to keep their campuses safe from cybercriminals.
They're not alone. In fact, the No. 1 issue for higher ed IT leaders this year is information security, according to EDUCAUSE, a nonprofit association of IT leaders in higher ed. Information security regularly shows up on the EDUCAUSE Top 10 list, though it earned the first spot this year.
"I think information security rose to the top of the list in 2016 because institutional leadership is becoming more aware of the risks that arise when evolving technologies, business practices and user expectations collide in a way that doesn’t protect institutional resources, institutional data, or user data that institutions have been entrusted to protect," said Joanna Grama, director of the IT Governance, Risk and Compliance Program and cybersecurity programs at EDUCAUSE.
Universities find themselves locked into an expensive arms race as they try to buy new tools and change their tactics to counter the latest enemy attack, said Kim Milford, executive director of the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), which promotes cybersecurity operational protection and response in higher education. Meanwhile, the attackers find ways around the tools, switch strategies and hit different targets.
Whatever the outcome, the race will be expensive for universities, Milford said. If they lose a fight, they'll get hit with financial losses. If they win a fight, that means they probably invested plenty of money in a good security program.
In this race, CISOs have to make choices about what security risks they will tackle first and which ones will fall to the bottom of the priority list, Milford said. Oftentimes, they don't get to the low priority items, which is why so many universities were hit by networked printer hacks this spring. While the hack was annoying, it didn't shut down research and education, which were much higher priorities. That said, this hack is a harbinger of some of the challenges that the Internet of Things could bring to the field.
In surveys and interviews, CISOs cited eight major challenges they're dealing with today.
Just under a third of users opened emails in 2015 that were designed to trick them into clicking a malicious link or downloading malicious software attachments, according to the Verizon 2016 Data Breach Investigations Report, which analyzed 2,260 breaches and covered more than 100,000 incidents. That's up from 23 percent last year.
Students have a full load, faculty work 60 hours a week, and the rest of the staff members are working on teaching, learning and research. With these busy schedules, cybersecurity awareness often takes a backseat to teaching and learning, said Bob Turner, CISO at University of Wisconsin-Madison.
"The cloud has taken off like crazy, and it's a great help, but at the same time, it's complicated from an information security perspective because there's a lot of due diligence that has to take place," said Matt Morton, CISO and assistant CIO at the University of Nebraska at Omaha.
Security doesn't always top the list of university leaders' priorities. But with risks and consequences rising, it's important to get security on the radar at the executive level and establish a comprehensive strategy that has buy-in from the top down, Grama said.
In this expensive arms race, it's difficult for universities to catch up with the tools that the cybersecurity industry creates given the limited resources they have, Turner said. That said, they have to figure out a plan for how they will make sure their security tools are as up to date as possible.
Universities also deal with the challenge of putting systems in place that will control who can access different applications and what level of access they need, Morton said.
When universities aren't centralized, it's more challenging to to govern data security, Turner said.
With faculty members and students bringing so many devices on campus, the security staff members don't have the opportunity to make sure those devices are safe and secure.
"We get some stuff in the enterprise that's a little bit interesting, and we don't necessarily have a look at it until after it's already connected," Turner said.
To tackle these challenges, Grama suggests three standard approaches that will help reduce information security risks:
The strategies will vary depending on each institution's risk factors and management plan for those risk factors. But Grama said these standard approaches generally apply to most institutions.