Top information security practices for higher education

Key takeaways

• Institutions can take several immediate steps to combat cyberattacks.
• Key focus areas include information security governance, compliance, data protection, and privacy programs.
• It’s essential to educate your community though ongoing awareness programs.

Cyberattacks and phishing are on the rise, but institutions can take several immediate steps to help protect their sensitive data from intrusions. In line with the recommendations of the EDUCAUSE Higher Education Information Security Council (HEISC) and other industry groups, Ellucian recommends nine best practices in information security governance, compliance, data protection, and privacy programs that will strengthen your security position quickly and effectively.

1. Automatic updates

Up-to-date security patches form the backbone of any secure system. All end-user computing devices should have automatic updates enabled, and all should be running the latest secure OS and application patches to reduce the risk of exploit, unauthorized access, and loss of information assets and data.

2. Anti-virus and malware solutions

Installing and keeping up-to-date anti-virus and anti-malware solutions on user endpoint systems is another integral part of your institution’s front-line defense. It doesn’t have to be a costly endeavor. A solution like Microsoft’s Defender is included with the operating system and can help defend against viruses and malware.

3. Email security

By utilizing the security features of your enterprise email solution, you can reduce the risk to your institution through its most used communication tool. Consider enabling features like:

• Antivirus/anti-malware scanning of attachments
• Deep link inspection
• Spam filtering
• Anti-spoofing
• Encryption (for sensitive data emails)
• Configured and deployed SPF/DKIM/DMARC records
• Data loss filtering capabilities (DLP)
• Multifactor authentication (for email access)
• Email header tagging (to identify externally sourced emails)
• Email domain blacklisting services

4. Anti-phishing measures

Email is the leading attack vector for cybercriminals, and most cyberattacks start with email phishing attempts. By implementing an effective anti-phishing program now, you can lower your institution’s risk from phishing attacks.

• User awareness — Make sure your employees and students always stay aware of the threat phishing poses, how to identify phishing emails, and, just as importantly, what to do when they suspect a phishing attempt. By implementing email features like email header tagging for externally sourced emails, you can help your end users determine where more scrutiny may be needed. There are numerous free resources available, such as EDUCAUSE and SANS, to help get you started.
• Simulated phishing campaigns — By implementing a formal simulated phishing program and testing your employees’ ability to identify and report phishing emails, your institution can gauge where awareness is needed and track the long-term performance and effectiveness of your awareness program.

5. Multi-factor authentication (MFA)

By adding multi-factor authentication requirements at critical points, you can dramatically reduce the risk of unauthorized access to your institution’s information assets and data. Consider adding MFA for all users to access the following:

• Remote administration
• VPN
• Enterprise email
• ERP and HRIS
• File storage
• Other applications housing sensitive data

6. Ransomware protection

The threat and consequences of a ransomware attack are enormous to unprepared institutions. Here are three steps you can take now to mitigate the impact in the event of such an attack:

• Backup and recovery — Ensure all critical systems and data are backed up and recovery capabilities have been validated. The ability to recover data encrypted by ransomware is critical.
• Drive mappings — If possible, eliminate the use of mapped/shared drives. This will prevent ransomware-infected systems from reaching data hosted on remote systems, thus minimizing the scope of the threat.
• Antivirus and anti-malware — Again, installing and keeping up-to-date antivirus and anti-malware solutions on user endpoint systems can reduce the risk of ransomware being executed on your system.

7. Payroll and invoicing process review

The threat of payroll and invoice fraud against higher education institutions is rising. This type of threat exploits institutional processes around these functions, often regardless of the solution in use. It’s critical to review your payroll and invoice processes to identify any steps that could be manipulated to bypass intended validation and authorization points.

8. Email validation

Higher education institutions are facing a relatively new threat involving the mass creation of fraudulent accounts in their ERP systems. A simple way to minimize your risk: enable email validation features within your ERP system.

9. Compliance

While compliance requirements can be difficult to keep up with, it’s vital to stay abreast of new and changing requirements that can affect your institution. Work with your legal counsel to fully understand your obligations and ensure that your cloud providers can support you in your compliance efforts.