Evolving Cybersecurity Risks in Higher Education Institutions
August 30, 2022
Higher education technology is constantly evolving, making it challenging to keep up with ongoing cybersecurity threats and the increased risk they bring to an organization. Globally, institutions have been impacted by current events such as the ongoing pandemic, the war on Ukraine, and the growing digital footprint. As a result, the higher education landscape continues to see significant advances in the complexity, scope, and severity of the impact that hackers and malicious activity introduce.
Higher Education Institutions and Cybersecurity Risks
Higher education institutions are no exception to cybersecurity risks and threats; in fact, the industry is potentially more at risk with the recent shift to online and remote learning. A mid-pandemic QuickPoll survey by EDUCAUSE revealed that colleges and universities rank third for the most data breaches and related threats. Between legacy technologies needing updates, budget cuts, and cybersecurity staffing concerns, many institutions struggle to get in front of the incoming threats.
Additionally, the pandemic has increased the need for end-user security measures as the increase in remote capabilities and the adoption of virtual work environments continue. As a result, the industry is seeing an uptick with multi-factor authentication implementations, partnerships for around-the-clock monitoring across devices with security operation centers, additional cyber insurance coverage for added protection, and much more.
OculusIT Observations: Evolving Cybersecurity within Higher Education
The cybersecurity team at OculusIT has proactively researched and identified some of the top trends and evolving risks that continue to threaten and challenge higher education institutions. As we examined these trends and risks, we noted six categories relevant to higher education.
At the top of our list are the changes and challenges facing the cybersecurity workforce within higher education. Between the continuation of the Great Resignation, the rise of “quiet quitting,” and the challenges of critical cyber skills outpacing workforce capabilities, the need for experienced cybersecurity professionals has never been higher. When you add in GLBA requirements mandating that institutions now must staff a Chief Information Security Officer, damaging budget cuts, and employee burnout, the challenges of the cybersecurity workforce pose a significant emerging risk to an institution’s cyber hygiene and posture.
2. Laws and Regulations
The adoption of legislation governing higher education cybersecurity emphasizes the need for a regulatory framework that can help decrease security incidents. The rise of cyberattacks against colleges and universities has increased exponentially over the past five years, not only costing millions of dollars annually but in some cases causing an institution to close its doors forever. These new laws seek to prevent breaches while fostering a culture of cybersecurity within higher education. However, the challenge is that conflicting viewpoints make it difficult to mandate such laws despite the potential benefits to data security. The Federal law under the Gramm-Leach Bliley Act (GLBA) requires that all public and private Title IV institutions adhere to the outlined cybersecurity requirements, including the staffing of a dedicated Chief Information Security Officer, by the end of this calendar year.
3. Human Factor
End-user behavior introduces the human factor as one of the biggest threats to an institution’s cybersecurity, and students, faculty, and staff are the first line of defense against cyberattacks. From using weak passwords to falling for phishing scams, even the most well-trained and educated end-users can accidentally leave your institution susceptible to a security breach. More higher education institutions have been taking proactive measures to provide better support to their end-users by implementing tools such as multi-factor authentication, passwordless access, single sign-on, continuous cybersecurity training, and more.
4. Third Party Cloud and Web Vulnerability
Next on our list is the weak management of your institution’s vendor and third-party access, which can provide unnecessary risks to even the most secure networks. When analyzing past data and security breaches, our data shows that third parties are one of the leading factors of a costly cyberattack due to insecure vendor controls. Before granting a vendor access to your institution’s systems, you must do due diligence to minimize operational, regulatory, and security risks. Furthermore, vendor assessments should be established and executed before, during, and after access has been given to adequately manage third-party risk. OculusIT is proud to support higher education institutions with third-party security programs as part of its managed security services offering.
5. Cybersecurity Insurance
While there are misconceptions about the role that cyber insurance plays in higher education security, one thing remains certain: cyber insurance providers are just as invested in reducing risk as your IT team. Cybersecurity insurance won’t minimize the likelihood of an attack; however, it will help cover the costs and improve your institution’s recovery time. Cyber insurance provides institutions with an added layer of protection, acting as a shield from financial fallout from ransomware attacks, data breach lawsuits, federal regulatory fines, and more. Most cyber insurance companies will review your institution’s security profile and overarching cyber hygiene as part of the process for coverage renewals and policy reinstatement, so it is important to proactively address any gaps in your security program as they arise.
6. Emerging Technologies
Finally, any change to your institution’s infrastructure—including introducing new and emerging technologies—poses continued cyber risks. With the rise of online and web-based technologies, slow adoption rates and changes to business processes and workflows can cause security gaps. Therefore, thoroughly considering your implementation plan is vital.
Prepare your institution for a secure cyberculture
Keeping up your institution’s cyber posture with all these emerging risks can be daunting, but OculusIT is here to help. With OculusIT, your institution receives white-glove service through OculusIT EYE, our high-touch Security Operations Center. This service includes 24x7x365 Staffed Monitoring, Security Analytics, Intrusion Detection, Log Data Analysis, File Integrity Monitoring, Real-Time Vulnerability Check, Forensics and Tracing, Systems Hardening, Container Security, Cloud Security, and Regulatory Compliance. Beyond our SOCaaS offering, OculusIT offers remote IT leadership, including virtual CISO, IT staff augmentation, managed and professional services, and more.
If your institution could benefit from the guidance and leadership of OculusIT’s shared services model, let us know.
About the Author
The majority of Brian Cornell’s 20-year technology and cybersecurity leadership career has been spent supporting Higher Education Institutions to develop and mature their information security programs. He has extensive experience providing policy guidance, risk assessments, and strategic planning aimed to protect and secure institutional assets. As Chief Information Security Officer at OculusIT, Brian’s deep knowledge of security frameworks and compliance requirements supports our clients in the improvement and advancement of their security goals and initiatives.
OculusIT is a global, all-inclusive managed IT, security, and cloud services company dedicated to serving the education industry. Our strategy is to offer the most cost-effective and responsive partnership that provides flexibility and nimbleness in response to economic changes and directly contributes to higher education’s ability to provide and maintain the highest quality IT services.