A Vital Role

A Vital Role

Campuses must embrace their responsibility to protect students and staff from cyber threats

From a campus security management standpoint, the safety and security of students, staff, faculty and visitors should be top of mind for administrators and security staff alike. Ensuring the protection of people and facilities reduces an institution’s potential risk and exposure.

Reducing Exposure

However, the need for protection is not only limited to the physical, as digital assets, individuals’ identities and sensitive information are constantly under attack from bad actors. In our increasingly connected world, any and all devices and systems that are connected to a network pose potential risk and could even be used as an entry point to gain access to even more networks, systems and data.

These risks are not merely theoretical. In research conducted by CDW-G, 60 percent of IT professionals surveyed said their institution had experienced a data breach in the last year, with 29 percent of those breaches resulting in documented data loss. So while cybersecurity may not be a top priority for university leaders, the risks and consequences of network breaches place increased importance on protecting the networks and systems that support the academic goals of educational institutions.

According to the CDW-G survey, the main reason colleges and universities are particularly vulnerable to cyber attacks boils down to a general lack of preparedness. In the study, less than half of campus IT staff surveyed reported that they had implemented critical cybersecurity measures like network segmentation (46 percent), endpoint protection (45 percent), remote access controls (44 percent) and twofactor authentication (39 percent).

The first step educational institutions should take to implement the strongest level of cybersecurity is to develop a written cybersecurity strategy that can be used to ensure that all devices and systems comply with security policies. There are many factors that can come into play with these policies, including compliance with regulations and standards like GDPR, ISO 27001, PCI and others. It is also important that devices are aligned with standard risk-management tools and practices.

Once developed, a cybersecurity strategy will help ensure that devices and systems provide strong protection by providing specific guidance on the three key network protection factors outlined below.

Password Management

Creating strong passwords seems like a fairly simple action to take, yet it’s all too often overlooked in favor of more complex technologies and practices for protecting devices and systems. However, simply creating a strong, unique password is not only an excellent first step in building strong cybersecurity, but it’s also the easiest way to prevent unauthorized access to systems.

There are a number of best practices for creating passwords that will decrease the likelihood of unauthorized access. To ensure the most robust protection, passwords should have no fewer than eight characters, which should be a mix of upper and lowercase letters, numbers and symbols and should not include words that can be found in a dictionary. Passphrases, such as a made-up sentence, can help users remember increasingly complex passwords.

At the same time, even the most robust, difficult-to-crack password is only good for a short period of time. Passwords must be changed on a regular basis, especially when several people have access to a particular system. It is human nature to share passwords with others. While it may seem innocuous, this practice can actually have negative consequences for cybersecurity. In an educational setting, students come and go every year, making it even more vital that passwords are changed regularly.

This fact leads into a second best practice for password management: controlling who is given passwords in the first place. For example, a password that provides admin level access should only be given to a very small group of people, who can then create and issue temporary accounts to those who may need to access a system for a specified period of time. When a project is completed or when that time frame has elapsed, those accounts can easily be deleted to prevent ongoing access.

Updating and Patching

Like password management, keeping device firmware and software up-to-date is another simple but often overlooked step in ensuring strong cybersecurity. Updates provide patches against cybersecurity vulnerabilities that may exist, as well as fixes for any bugs that may be present in the software. By updating regularly, institutions will benefit from more secure, more reliable and more efficient systems.

Another aspect of patching and updating that is often overlooked is the need to apply updates across all devices across the network, including workstations, IP cameras, switches, servers, routers and others. All of these devices must be regularly updated, but the good news is that it’s not always necessary to perform the task the moment a manufacturer or provider issues a new update. The update may not yet be aligned with devices and systems from other sources that are integrated together into the network ecosystem. In these situations, updating one device or system may cause problems with others, so it’s better to create an updating and patching schedule that your institution can adhere to.

It is highly beneficial to have non-production test systems or labs for testing for patches before deploying them on production systems to reduce the risk of any incompatibilities. Testing and patching isn’t one-size-fits-all, as each system is unique, but by evaluating the risks the patches, IT administrators can make better decisions on what to prioritize for patching and updating endpoints. This might be monthly, quarterly or twice a year depending on the number and size of systems, as well as the time and resources available to dedicate to this vital task.

A main stumbling block to effective updating and patching can be confusion over who bears the responsibility for performing these functions. Without clearly defined roles, these vital tasks can easily fall through the cracks. This underscores the importance of a cybersecurity strategy that clearly spells out who owns these tasks, which may fall to a specific individual, department or contractor.

Network Segmentation

All devices connected to a network represent potential back doors that hackers could exploit to gain access to a network and the various systems it’s connected to. Therefore, as evidenced by the number of high-profile breaches that seem to be occurring with alarming regularity, cybersecurity is a top priority for everyone.

One of the greatest concerns with networked devices is that they could be used as a platform to breach other parts of a system, which could then be used to gather data or take down or hijack a system. In theory, any networked device can be used to attack another network device, and all devices and systems offer the potential to be vulnerable, meaning cybersecurity is only as strong as the weakest device connected to a network. Therefore, it is essential that all networked devices provide the level of security necessary to protect the overall system from the potentially catastrophic effects of a breach.

Unfortunately, in the Internet of Things (IoT) and bring-yourown- device (BYOD) world, it’s not always easy to ensure that all devices and systems connected to the network provide the necessary level of cybersecurity to prevent breaches. As a result, the human element can easily undermine even the best cybersecurity technologies and practices.

As an example, network security provider Infoblox found that 48 percent of IT administrators surveyed feel their greatest security risks come from within the campus, whether from compromised devices or intentional acts. In that same study, 54 percent of respondents said that at least 25 percent of students’ devices come to campus already infected by malware, while one-third of the students surveyed indicated they knew fellow classmates had attempted malicious acts on a school’s network.

The free flow of information and ideas is a hallmark of academics, so it simply isn’t realistic to prohibit students, faculty and staff from accessing an institution’s network. At the same time, it’s vital to ensure that personal devices don’t contain vulnerabilities that hackers could exploit to gain access to other devices and systems and the sensitive information they contain.

One way institutions can reduce the likelihood of this is by using network segmentation to isolate certain types of devices from other systems and the sensitive information they contain. For example, students and staff could be allowed to access one part of the network for research and communication, while academic and financial information could be stored on a separate system.

It is also important to segment out HVAC, physical security systems, point of sale systems and more. This would prevent a compromised laptop or smartphone from providing bad actors with access to highly sensitive data that could be used for identity theft or other crimes. It would also decrease the likelihood of a tech-savvy student accessing school systems, whether for fun or to engage in malicious activities. Encryption of data is critical in all aspects of the network system, and while this practice is usually more enforced for IT systems, the same protection needs to be implemented on IoT and other systems on the network.

Given the risks associated with network breaches, and the ease with which unsecured devices can provide entry points for hackers, educational institutions must make cybersecurity a main component of overall security management for their campuses. With a written cybersecurity policy that addresses these and other factors, combined with user education and practices that monitor adherence to established policies, IT administrators can make tremendous strides toward providing the highest level of protection for students, staff and faculty as well as sensitive information and assets.

This article originally appeared in the March April 2020 issue of Campus Security & Life Safety.

Digital Edition