Think about the nightmarish cybersecurity situation facing colleges and universities for a moment. Their campuses are vast and sprawl across dozens of buildings. They provide online services to tens of thousands of students and faculty members who are not renowned for their implementation of rigorous security measures.
That’s a whole lot of personal information to safeguard. Also, universities each have research facilities where intellectual property (IP) must be closely guarded. Now factor in the monetary picture: Many colleges bring in huge quantities of money from tuition fees, donations and grants.
This makes them an attractive target for cybercriminals. The Verizon Data Breach Investigations Report cited 497 incidents for the year in higher education with 238 confirmed as suffering data disclosure. Attack vectors included basic web application attacks, mis-delivery, publishing errors, misconfiguration, phishing and theft of credentials.
Cybersecurity takes a team effortFootball coaches continually preach that defense is a team effort. At last month’s CrowdStrike Fal.Con conference in Las Vegas, a group of CISOs from the Big Ten spoke about how they collectively address the many challenges posed on the cybersecurity front.
Rich Nagle, CISO at Ohio State University said the Big Ten Academic Alliance has existed for many years to facilitate academic cooperation. Within that structure, various working groups operate. The CIO working group was one of the early ones in IT. But the quantity of cybersecurity questions and issues grew so much that the CISO working group was born. They meet every month over Zoom as well as three times a year in person. They take turns hosting these events, which float from one campus to another. In addition, there is an annual get-together at the Big Ten conference in Chicago.
Hot issues rarely wait for formal meetings. An email-based thread has the members constantly collaborating.
“This group is my first go-to on any question,” said Nagle. “We leverage each other in sharing cybersecurity knowledge.”
He noted that relationships build over time. With the sensitivity of cyber-issues and the necessity to safeguard data privacy and institutional integrity, members gradually gain enough confidence in their fellow members to be able to openly discuss difficulties and the details of any attacks they suffered.
“I built trust with my peers through interaction over time,” said Nagle. “You reach the point where you are willing to share sensitive data and know it won’t be compromised.”
Brandon Grill, senior director, Technology Planning & Security, Northwestern University, explained how topics evolve for regularly scheduled meetings.
“Once you get enough email on a subject, you begin to realize that we should perhaps have a full session on it on Zoom or in person,” said Grill.
He added that he has his fellow CISOs on speed dial.
Sharing cyberthreat intelligenceCybersecurity attacks and breaches are often common across the Big Ten campuses. What happens to one is likely to be happening, or be about to happen, to the others. Matt Morton, executive director and CISO, University of Chicago, said fast information sharing of cyberthreat intelligence is key.
“We learn from each other how to deal with incidents,” said Morton. “This raises our cyber programs to a level you can’t achieve on own.”
He is particularly concerned about how the network perimeter has evolved over the past few years. Some hope that there may be a return to on-campus work and an end to work-from-home. But he doesn’t believe that is likely. Hence one of the biggest threats to campus security is the state of security at home.
“We are focused on securing the accounts of individuals wherever they may be,” said Morton. “We are building a stronger program to protect home and remote users who access our network.”
Maintaining data privacyPrivacy is top of mind for Kim Milford, CISO, University of Illinois Urbana Champaign. She noted a rise in regulations on the sharing of academic data and protecting the rights of individuals.
“The CISO working group members know each other’s environments which makes it easier to share key data on incidents,” she said. “But you have to pay attention to things like leaving out the data such as IP addresses and anything sensitive or confidential that falls under the various privacy rules.”
Nagle added that student data is gradually coming under the microscope as more compliance rules are passed in various regions. But staying in compliance across an entire campus and across the entire student body is far from easy.
“Compliance systems and policies can be difficult to implement due to our scale,” said Nagle.
Despite the barriers, these CISOs understand that privacy looms large in their future. Milford went as far as to say that she expects privacy to grow so much in importance that it will dominate – that cybersecurity will be one facet of a broader privacy structure.
AI looms large in cybersecurityAt the end of 2022, the CISO working group held a meeting on Generative AI. The CIOs were hearing all the buzz on AI and the group understood that they needed to get ahead of it. They discussed how to balance the obvious benefits of generative AI with risks such as data exposure, privacy, protecting sensitive data and other security concerns.
“Faculty members are already harnessing generative AI so need to know what they are doing and help them to stay secure,” said Morton.
That is easier said than done. Researchers, for example, sometimes find it hard to see the importance of yet another round of cybersecurity safeguards, this time related to AI and data protection. He offered a tip on how to gain more cooperation when it comes to soliciting greater interest and involvement from researchers. Ask them: What if you can’t prove that the data you have been gathering for the last ten years hasn’t been changed? He said that this approach has opened the door to greater willingness to accept cybersecurity and privacy policies.
Milford emphasized education on threats and the consequences of insecure actions. She sends a monthly newsletter to students, researchers and administrators as a way to constantly remind people about cyber-hygiene and gradually bringing about a cultural change.
Morton has initiated actions to educate and protect students from the dangers potentially posed by AI. This includes working with the student council and providing guidance on how to cite conclusions that were reached using AI.
“We try to educate them on the risks and their responsibilities,” said Morton. “But the speed of adoption of generative AI is faster than most institutions are used to traveling at.”
Grill concurred.
“It takes a while for traditional institutions like colleges to change, thus we can be slow when it comes to cybersecurity,” said Gill. “The biggest threat we face is probably this gap in pace.”
Willingness to follow the dictates and suggestions of the cybersecurity team represents another obstacle. Milford observed that some departments and researchers may express lack of trust in the tools her department advocates. This is something they will have to get over as she expects to see more convergence of threat intelligence tools in the near future.
Big Ten sticks together on threat intelligence toolNagle said that the members discuss the tools they use to thwart attacks and stop breaches. Over time, each of them gravitated to the CrowdStrike Falcon platform.
“We all work together on threat intelligence and tend to have similar tools and work with similar partners,” said Nagle. “Falcon makes it easier for us to share information related to ongoing threats.”
Grill added that information is often shared about a new product being used. Others often adopt it. But each institution conducts its own vendor assessments and adopts tools specific to their own needs and the platforms they prefer.
He is currently grappling with the complexities of data loss protection (DLP). Why? Higher education and research data goes everywhere. Governments, industry, other institutions, other researchers – all are party to such data. This makes it hard to implement an effective DLP as each entity uses different systems. One might be running Microsoft 365 and another might be on Google Docs, for example. There is a need for comprehensive DLP tools that simplify the sharing and securing of data across the many platforms that exist.
“Modernization of DLP is the most transformative area of cybersecurity for us,” said Grill.