It’s never easy to secure a network properly, but this is an especially difficult task for those in higher education. Colleges and universities have a wide variety of functions within their purview, they have an alphabet soup of security compliance regulations to contend with and they have a culture that is particularly sensitive to restricting the free flow of information. Even with an unlimited budget, this would be a Herculean task.
Criminals are seizing this opportunity with increasing force, and schools are feeling the squeeze. In EDUCAUSE’s 2015 poll, security issues occupied the bottom slots of the top ten areas of concern for CIOs and IT leaders in education. Every year since then, Information Security has been considered the number one IT issue. Breaches are a major problem, and more people seem to understand now that everyone is a target in the eyes of cybercriminals.
Because colleges and universities have so much to do with such limited resources, they need to be more deliberate and strategic when establishing their security postures. While other types of organizations may be able to lock all their systems down to protect their assets, post-secondary schools must do a more delicate balancing act in order to meet students, staff and administrators where they are, rather than forcing them to comply with requirements that make it difficult (if not impossible) to do what they need to do.
What are you protecting?
One of the first steps that security experts recommend is a thorough and ongoing risk assessment. The key point of this process is to get visibility into your environment. It’s important to identify all of your assets, both in terms of types of data and physical machines. Don’t forget that one machine moldering in a back room that is running prehistoric versions of its software but which is nonetheless connected to the internet. Attackers will not necessarily enter networks through obvious places, and data that are most valuable to a criminal may not be obvious. Assume that if information has value to someone within your organization, it has monetary value to an attacker.
In colleges and universities, this process will necessarily involve a certain number of unknown variables as these institutions have a more itinerant population than most other types of organizations, and students will need to bring their own devices. This uncertainty underlines the importance of making risk assessment a regular task rather than a yearly chore and of building a network topology that allows for uncertainty.
How are you protecting?
Now that you’re aware of your assets and their risks, the next step is to mitigate those risks. A lot of hazards can be lessened by following common “best practices” like applying software updates in a timely fashion, using a reputable anti-malware program at the gateway and on endpoints, using firewalls and intrusion prevention software, filtering email for unwanted or malicious content and encrypting sensitive data.
I use scare quotes around the phrase “best practices” because, while they are strongly recommended in the vast majority of cases, there are times when implementing these solutions may simply not be feasible. But this does not mean you should be leaving gaping holes in your protection.
Inevitably there will be machines on your network that can be tightly locked down, and there will be others that cannot. Likewise, some users may require wide-ranging access, while others may be able to operate when limited by tighter controls. You can and should create a network that has different levels of access according to your users’ levels of need. And, as much as possible, you should limit access from one level to another so that unprotected or legacy devices cannot be used to leverage an attack on more sensitive areas of your network.
A key part of keeping these levels separate is using account management for the purposes of authentication as well as authorization. Many of us think of usernames and passwords as a way to verify our identity, but our login accounts can also be assigned permissions that regulate who can access which resources. For example, someone working in payroll will not likely need access to healthcare records. And students’ unsecured devices should be completely isolated from both of these areas.
Because login credentials can be easily compromised or stolen, username plus password should not be your only method of authentication, especially for sensitive systems. Two-factor authentication is now available on most online services and can be easily added to your own login processes.
Read about how ESET works to protect educational institutions here.
Methods for improving human factors
Technological solutions like those we’ve discussed can help mitigate some risks, but if you’re not addressing the people using your network, your hard work may all be for naught. If security methods cause too much hassle, or if your users don’t understand what constitutes safe computing behavior or why it’s essential, they may thwart technological protections.
- Train early and often
You wouldn’t explain the whole of geometry to a student once and then leave it at that. Likewise, it’s important to give security lessons to your users in digestible chunks and then build on important concepts over time. Regular testing can also be a great way to check the effectiveness of your training, to see what areas need to be revisited. Have an Acceptable Use Policy and make sure it’s posted in places where users will see it often. - See how users do their work
Security has gotten a bad reputation for being all about introducing impossible hurdles and of constantly looking over people’s shoulders. By working with your users to see how they go about their daily tasks, you can tailor security measures to their needs so that these measures can enable users to safely do what they need to do. If implemented properly, security measures can even help users strengthen their privacy. - Reward safer behavior
Users are the eyes and ears of your network. You can improve your response time to security incidents by enlisting the help of students and staff to help identify problems. Rewarding safer behavior and prompt reporting of problems can help encourage this behavior. - Gather and share information
The Information Security and law-enforcement communities heavily rely on data and samples from people who’ve had security incidents. By gathering forensics data after an attack, you can share it with those who are in a position to use it to help the internet at large.
While securing computers in colleges and universities is by no means an easy task, it’s not an impossible one. By spending more time up front to create a sensible security strategy, you can save yourself from the even greater pain and effort of having to clean up after a breach.
Check out ESET’s on-demand webinar here to learn more about security best practices and technology solutions for educational institutions.