Higher ed institutions face quite a challenge when it comes to cybersecurity. These institutions store massive volumes of data pertaining to not only their students, but their faculty, alumni, parents, and donors. If a university is breached, a single student record contains a comprehensive view of the student’s life including demographic data, academic records, medical records, and financial data. The threat is real. In early 2019, Georgia Tech revealed that it was a target of a cyberattack on personal information of up to 1.3 million current and former students, employees, and prospective students. This is where security and risk management (SRM) comes into play.
What is Security Risk Management?
According to Gartner: “Next-generation security and risk management (SRM) in higher education focuses increasingly on end-user trust and, thereby, goes beyond the fundamentals of resilience and central control. Increasing personalization puts an emphasis on the ethical use of data that requires faculty, staff, and student control and consent. SRM leaders are key enablers of this new level of personalized ‘digital business.’” In other words, it is an ongoing process of identifying security risks and implementing plans to address them. And these attacks just don’t have digital consequences. The digital society is a blend of the virtual and physical world. For example, a cyberattack at a German steel mill suffered major damage as the attackers gained access to control the mill’s system and prompted a blast.
How to Create an SRM for Higher Ed
The Ponemon Institute, a cybersecurity research firm, reported that each lost or stolen record cost educational institutions an average of $246 last year. And that’s not just with students as universities operate like a small town, with operations, research, health, finance, and transportation departments.
A good SRM strategy focuses on identifying the highest impact threats. According to an article from Educause, there are three different types of threat/risk categories:
|Threat Category||Threat Description||Impact||Value to Attacker||Effort|
|High||Student Health Services database breach||Office of Civil Rights fines and increased oversight; identity theft; health insurance fraud; lawsuits (High)||$80 per record on black market x 40,000 students = $3.2 million||High|
|Moderate||Distributed denial-of-service (DDoS) attack on single sign-on system||Unable to conduct business (High)||Ransom payment; publicity||Low|
|Low||Stolen credentials used to access paid research database||Possible lawsuit from research database provider (Low)||$10,000 and up||Low|
So where do you start to create a plan? First, think of security as a team sport. Gartner recommends to: “Implement broadly supported and effective security policies and practices at your institution by establishing a comprehensive planning and governance group. It should be composed of a variety of stakeholders, including students, faculty, finance, legal and HR, that consider programs for mitigating risk, building trust, protecting student privacy and using data in an ethical manner.”
Gartner then recommends, “Objectively identify the strengths and gaps of your current security plans by using a variety of frameworks (such as National Institute of Standards and Technology, International Organization for Standardization/International Electrotechnical Commission 27001/27002, COBIT and ITIL) or third-party providers for assessing the current state of your program.”
Third, you must invest in cybersecurity training for students, faculty, and staff. No matter how stable and secure your network and infrastructure is, there is always one thing to consider — the human factor. The best example of this occurrence is through phishing or its more sophisticated counterpart, spear-phishing. Spear-phishers often disguise themselves as trusted sources or entities asking for a simple task, like paying an invoice or replying to an email.
Gartner goes on to further recommend to, “adopt security and privacy policies that enable faculty, staff, and students to control what personal data is collected and on what legal grounds that processing takes place.
Lastly, you must evaluate current practices and methods used for collecting and storing institutional data.
As with all matters in higher education, there are bound to be constraints when it comes to security and risk management. From limited funding to regulation and laws, to finding the right talent and governance. There are many factors to consider when implementing a security risk management plan. Yet if these factors aren’t considered and dealt with, cyber attacks on universities will become ever more frequent and damaging. Meeting this challenge requires strategic planning and cybersecurity thinking.
One solution is to implement a BPM to handle workflows and internal processes. Make sure your BPM software provider has security at the top of the mind too. It should have clearly laid out plans for data encryption, user authentication, application security, internal systems security, operating system security, database security, server management security, reliability and backup, and disaster recovery. Additionally, be sure that your BPM solution has experienced, professional engineers and security specialists dedicated to data and systems protection.