How do you win the cybersecurity arms race?
- Never stop updating policies, processes, and technology
- Transitioning data to the cloud is a smart move for many institutions
- Audit everything often and be comfortable with the fact that the job is never done
Like most industries, higher education finds itself in a cybersecurity “arms race.” By the time institutions implement tools and strategies to confront one threat, another has emerged.
From a cost standpoint alone, you’ll never “win” the war. Failing to prevent an attack will cost you, but so will succeeding, because success means you probably invested heavily in a good security programme.
The goal in today’s information security race is simply to stay in the lead—to effectively manage your risks and minimise disruption in a “not if, but when” world. And that means accepting the reality that investing in cybersecurity technology, education, and planning can never stop.
Here are five “nevers” that’ll keep you in the lead:
Never get complacent
Compared to other industries, higher education has not been an obvious, high-profile target for hackers to date. We have yet to experience a large-scale attack—the kind that shocks the system and catalyses large-scale change.
That’s likely why many institutions are under-investing in security. And it’s understandable. When funding is tight, the needs that seem most immediate often take precedence over anything that feels like it can be pushed back a year.
But whether you have or have not been attacked, whether you’re a large institution or small, consider information security an urgent need. In choosing targets, hackers weigh the cost of an attack vs. the value of the information. As higher education stores more and more high-value student data, research, and other information digitally, it becomes more of a target.
Chief information officers in higher education understand the urgency. In a 2016 survey, the Leadership Board for CIOs asked them for the one technology they will HAVE to invest in over the next five years. The top answer? Security.
Never stop educating
The arms race is not solely technological. Some of your biggest vulnerabilities are human.
Whether it’s an employee being tricked into giving up sensitive information, an insider hack, or unenforced policies on identity management, cracks in your human firewall are as dangerous as those in your digital firewall.
For example, the Internet of things (IoT) brings a whole new wave of security concerns, as smart devices with their own operating systems and network connections proliferate. But the biggest security weakness with IoT devices? According to a 2017 report by Symantec1, it’s the use of default passwords—a decidedly old problem that can be fixed with education.
That’s why education needs to be an ongoing priority. First, a large percentage of best practices (create strong passwords, stay alert for scams, etc.) remain relevant even as technology evolves. And second, new threats and mitigation strategies are constantly emerging, making once-a-year IT security training inadequate. Educate end users often, using multiple online and in-person approaches.
Ongoing training for your IT staff is equally critical. With the pace of change, IT skills are becoming outdated more quickly than in the past. And finding new talent is particularly tough these days. So invest in your current IT staff to ensure they have the skills, experience, and certifications needed to fight cybercrime.
Never stop upgrading technology
There’s an understandable sense that just when you get a new system in place, the game has changed, and you need something entirely new. But completely overhauling your technology on a regular basis is not required in order to keep pace with security threats. What is required:
- Install updates and patches as soon as they’re available
- Retire legacy systems that are no longer protected against threats (and not just once; audit systems regularly to determine whether they need to be retired or improved)
- Invest in some new tools and technology regularly (while there is pressure for technology to become more efficient, security is not the best place to reduce your budget over time)
While it might feel like the investments you’ve already made will soon be obsolete, a lot of malicious activity remains rudimentary in nature. If you’ve implemented basic security protocols and technology, they’ll still be effective against all but the most advanced attacks for quite some time.
To address more advanced threats, or if you’re having trouble getting even basic systems and processes in place, consider relying more on partners. Vendors that specialise in information security have significantly more resources and expertise than you can likely build in house. By outsourcing some aspects of security, you can use your own resources more efficiently.
Transitioning data to the cloud, for example, might be a smart security move for institutions with outdated infrastructure or skills.
Never stop updating policies and processes
This “never” straddles the human and technology components of information security.
A big part of security is implementing policies that govern human behaviour—what people can and can’t do with data and data technology. Another is embedding those policies into systems and processes across the institution, so that they’re enforced.
As threats and potentially harmful behaviours change, so should your policies and processes. Audit them regularly, just like you do with technology.
For example, five years ago, most institutions didn’t have a formal requirement of two-factor authentication on financial transactions. As adversaries have become more skilled, using an email or text verification on top of a password is becoming the norm. But any new normal requires changes to policies and processes—and, the user education that accompanies both.
Evolving regulatory requirements also require vigilance in this area. For example, if institutions haven’t updated policies and processes in anticipation of the EU’s new GDPR regulations, which go into effect in May 2018, they could incur major penalties due to non-compliance.
Never stop learning
This is perhaps a fitting sentiment not only for the end of this blog, but for the end of this series as well.
The more you know, the safer you are. This applies to both the external threats and your own internal people, systems, processes, and technology. A few tips:
- Audit everything often
- Follow up aggressively with incidents, and use them to learn and improve over time
- Create a culture where everyone is committed to learning, flagging concerns and anomalies, and being transparent
- Stay highly engaged with industry forums, conferences, and publications
- Get comfortable with the fact that the job is never done
Higher education is powered by the idea that the world’s top challenges can be solved through careful study, intellectual rigor, and cross-disciplinary collaboration. These same values will empower us to thrive in the midst of an insecure, but exciting, age of information.
Read the complete infosec blog series.
1Internet Security Threat Report, April 2017, Symantec