A Vital Role
Campuses must embrace their responsibility to protect students and staff from cyber threats
- By Wayne Dorris
- April 14, 2020
From a campus security management standpoint, the
safety and security of students, staff, faculty and visitors
should be top of mind for administrators and security
staff alike. Ensuring the protection of people and facilities
reduces an institution’s potential risk and exposure.
Reducing Exposure
However, the need for protection is not only limited to the physical,
as digital assets, individuals’ identities and sensitive information are
constantly under attack from bad actors. In our increasingly connected
world, any and all devices and systems that are connected to a
network pose potential risk and could even be used as an entry point
to gain access to even more networks, systems and data.
These risks are not merely theoretical. In research conducted by
CDW-G, 60 percent of IT professionals surveyed said their institution
had experienced a data breach in the last year, with 29 percent of
those breaches resulting in documented data loss. So while cybersecurity
may not be a top priority for university leaders, the risks and
consequences of network breaches place increased importance on
protecting the networks and systems that support the academic goals
of educational institutions.
According to the CDW-G survey, the main reason colleges and
universities are particularly vulnerable to cyber attacks boils down to
a general lack of preparedness. In the study, less than half of campus
IT staff surveyed reported that they had implemented critical cybersecurity
measures like network segmentation (46 percent), endpoint
protection (45 percent), remote access controls (44 percent) and twofactor
authentication (39 percent).
The first step educational institutions should take to implement
the strongest level of cybersecurity is to develop a written cybersecurity
strategy that can be used to ensure that all devices and systems
comply with security policies. There are many factors that can come
into play with these policies, including compliance with regulations
and standards like GDPR, ISO 27001, PCI and others. It is also
important that devices are aligned with standard risk-management
tools and practices.
Once developed, a cybersecurity strategy will help ensure that
devices and systems provide strong protection by providing specific
guidance on the three key network protection factors outlined below.
Password Management
Creating strong passwords seems like a fairly simple action to take,
yet it’s all too often overlooked in favor of more complex technologies
and practices for protecting devices and systems. However, simply
creating a strong, unique password is not only an excellent first step
in building strong cybersecurity, but it’s also the easiest way to prevent
unauthorized access to systems.
There are a number of best practices for creating passwords that
will decrease the likelihood of unauthorized access. To ensure the
most robust protection, passwords should have no fewer than eight
characters, which should be a mix of upper and lowercase letters,
numbers and symbols and should not include words that can be
found in a dictionary. Passphrases, such as a made-up sentence, can
help users remember increasingly complex passwords.
At the same time, even the most robust, difficult-to-crack password
is only good for a short period of time. Passwords must be
changed on a regular basis, especially when several people have
access to a particular system. It is human nature to share passwords
with others. While it may seem innocuous, this practice can actually
have negative consequences for cybersecurity. In an educational setting,
students come and go every year, making it even more vital that
passwords are changed regularly.
This fact leads into a second best practice for password management:
controlling who is given passwords in the first place. For example,
a password that provides admin level access should only be given
to a very small group of people, who can then create and issue temporary
accounts to those who may need to access a system for a specified
period of time. When a project is completed or when that time
frame has elapsed, those accounts can easily be deleted to prevent
ongoing access.
Updating and Patching
Like password management, keeping device firmware and software
up-to-date is another simple but often overlooked step in ensuring
strong cybersecurity. Updates provide patches against cybersecurity
vulnerabilities that may exist, as well as fixes for any bugs that may be
present in the software. By updating regularly, institutions will benefit
from more secure, more reliable and more efficient systems.
Another aspect of patching and updating that is often overlooked
is the need to apply updates across all devices across the network,
including workstations, IP cameras, switches, servers, routers and
others. All of these devices must be regularly updated, but the good
news is that it’s not always necessary to perform the task the moment
a manufacturer or provider issues a new update. The update may not
yet be aligned with devices and systems from other sources that are
integrated together into the network ecosystem. In these situations,
updating one device or system may cause problems with others, so it’s
better to create an updating and patching schedule that your institution
can adhere to.
It is highly beneficial to have non-production test systems or labs
for testing for patches before deploying them on production systems
to reduce the risk of any incompatibilities. Testing and patching isn’t
one-size-fits-all, as each system is unique, but by evaluating the risks
the patches, IT administrators can make better decisions on what to
prioritize for patching and updating endpoints. This might be monthly,
quarterly or twice a year depending on the number and size of
systems, as well as the time and resources available to dedicate to this
vital task.
A main stumbling block to effective updating and patching can be
confusion over who bears the responsibility for performing these
functions. Without clearly defined roles, these vital tasks can easily
fall through the cracks. This underscores the importance of a cybersecurity
strategy that clearly spells out who owns these tasks, which
may fall to a specific individual, department or contractor.
Network Segmentation
All devices connected to a network represent potential back doors
that hackers could exploit to gain access to a network and the various
systems it’s connected to. Therefore, as evidenced by the number of
high-profile breaches that seem to be occurring with alarming regularity,
cybersecurity is a top priority for everyone.
One of the greatest concerns with networked devices is that they
could be used as a platform to breach other parts of a system, which
could then be used to gather data or take down or hijack a system. In
theory, any networked device can be used to attack another network
device, and all devices and systems offer the potential to be vulnerable,
meaning cybersecurity is only as strong as the weakest device
connected to a network. Therefore, it is essential that all networked
devices provide the level of security necessary to protect the overall
system from the potentially catastrophic effects of a breach.
Unfortunately, in the Internet of Things (IoT) and bring-yourown-
device (BYOD) world, it’s not always easy to ensure that all
devices and systems connected to the network provide the necessary
level of cybersecurity to prevent breaches. As a result, the human element
can easily undermine even the best cybersecurity technologies
and practices.
As an example, network security provider Infoblox found that 48
percent of IT administrators surveyed feel their greatest security risks
come from within the campus, whether from compromised devices
or intentional acts. In that same study, 54 percent of respondents said
that at least 25 percent of students’ devices come to campus already
infected by malware, while one-third of the students surveyed indicated
they knew fellow classmates had attempted malicious acts on a
school’s network.
The free flow of information and ideas is a hallmark of academics,
so it simply isn’t realistic to prohibit students, faculty and staff from
accessing an institution’s network. At the same time, it’s vital to
ensure that personal devices don’t contain vulnerabilities that hackers
could exploit to gain access to other devices and systems and the
sensitive information they contain.
One way institutions can reduce the likelihood of this is by using
network segmentation to isolate certain types of devices from other
systems and the sensitive information they contain. For example, students
and staff could be allowed to access one part of the network for
research and communication, while academic and financial information
could be stored on a separate system.
It is also important to segment out HVAC, physical security systems,
point of sale systems and more. This would prevent a compromised
laptop or smartphone from providing bad actors with access to highly
sensitive data that could be used for identity theft or other crimes. It
would also decrease the likelihood of a tech-savvy student accessing
school systems, whether for fun or to engage in malicious activities.
Encryption of data is critical in all aspects of the network system,
and while this practice is usually more enforced for IT systems, the
same protection needs to be implemented on IoT and other systems
on the network.
Given the risks associated with network breaches, and the ease
with which unsecured devices can provide entry points for hackers,
educational institutions must make cybersecurity a main component
of overall security management for their campuses. With a written
cybersecurity policy that addresses these and other factors, combined
with user education and practices that monitor adherence to established
policies, IT administrators can make tremendous strides
toward providing the highest level of protection for students, staff
and faculty as well as sensitive information and assets.
This article originally appeared in the March April 2020 issue of Campus Security Today.