Reducing information security risk

Top information security practices for higher education

By Josh Sosnin

Protect your sensitive institutional data with these nine key steps.

Key takeaways

  • Institutions can take several immediate steps to combat cyberattacks.
  • Key focus areas include information security governance, compliance, data protection, and privacy programs.
  • It’s essential to educate your community though ongoing awareness programs.

Cyberattacks and phishing are on the rise, but institutions can take several immediate steps to help protect their sensitive data from intrusions. In line with the recommendations of the EDUCAUSE Higher Education Information Security Council (HEISC) and other industry groups, Ellucian recommends nine best practices in information security governance, compliance, data protection, and privacy programs that will strengthen your security position quickly and effectively.

1. Automatic updates

Up-to-date security patches form the backbone of any secure system. All end-user computing devices should have automatic updates enabled, and all should be running the latest secure OS and application patches to reduce the risk of exploit, unauthorized access, and loss of information assets and data.

2. Anti-virus and malware solutions

Installing and keeping up-to-date anti-virus and anti-malware solutions on user endpoint systems is another integral part of your institution’s front-line defense. It doesn’t have to be a costly endeavor. A solution like Microsoft’s Defender is included with the operating system and can help defend against viruses and malware.

3. Email security

By utilizing the security features of your enterprise email solution, you can reduce the risk to your institution through its most used communication tool. Consider enabling features like:

  • Antivirus/anti-malware scanning of attachments
  • Deep link inspection
  • Spam filtering
  • Anti-spoofing
  • Encryption (for sensitive data emails)
  • Configured and deployed SPF/DKIM/DMARC records
  • Data loss filtering capabilities (DLP)
  • Multifactor authentication (for email access)
  • Email header tagging (to identify externally sourced emails)
  • Email domain blacklisting services

4. Anti-phishing measures

Email is the leading attack vector for cybercriminals, and most cyberattacks start with email phishing attempts. By implementing an effective anti-phishing program now, you can lower your institution’s risk from phishing attacks.

  • User awareness — Make sure your employees and students always stay aware of the threat phishing poses, how to identify phishing emails, and, just as importantly, what to do when they suspect a phishing attempt. By implementing email features like email header tagging for externally sourced emails, you can help your end users determine where more scrutiny may be needed. There are numerous free resources available, such as EDUCAUSE and SANS, to help get you started.
  • Simulated phishing campaigns — By implementing a formal simulated phishing program and testing your employees’ ability to identify and report phishing emails, your institution can gauge where awareness is needed and track the long-term performance and effectiveness of your awareness program.

5. Multi-factor authentication (MFA)

By adding multi-factor authentication requirements at critical points, you can dramatically reduce the risk of unauthorized access to your institution’s information assets and data. Consider adding MFA for all users to access the following:

  • Remote administration
  • VPN
  • Enterprise email
  • ERP and HRIS
  • File storage
  • Other applications housing sensitive data

6. Ransomware protection

The threat and consequences of a ransomware attack are enormous to unprepared institutions. Here are three steps you can take now to mitigate the impact in the event of such an attack:

  • Backup and recovery — Ensure all critical systems and data are backed up and recovery capabilities have been validated. The ability to recover data encrypted by ransomware is critical.
  • Drive mappings — If possible, eliminate the use of mapped/shared drives. This will prevent ransomware-infected systems from reaching data hosted on remote systems, thus minimizing the scope of the threat.
  • Antivirus and anti-malware — Again, installing and keeping up-to-date antivirus and anti-malware solutions on user endpoint systems can reduce the risk of ransomware being executed on your system.

7. Payroll and invoicing process review

The threat of payroll and invoice fraud against higher education institutions is rising. This type of threat exploits institutional processes around these functions, often regardless of the solution in use. It’s critical to review your payroll and invoice processes to identify any steps that could be manipulated to bypass intended validation and authorization points.

8. Email validation

Higher education institutions are facing a relatively new threat involving the mass creation of fraudulent accounts in their ERP systems. A simple way to minimize your risk: enable email validation features within your ERP system.

9. Compliance

While compliance requirements can be difficult to keep up with, it’s vital to stay abreast of new and changing requirements that can affect your institution. Work with your legal counsel to fully understand your obligations and ensure that your cloud providers can support you in your compliance efforts.

Topic
Data Security, IT Standards and Architecture, Our Approach
About the Author
Josh Sosnin
Josh Sosnin
Vice President and Chief Information Security Officer

Josh Sosnin is the Vice President and Chief Information Security Officer at Ellucian. He is responsible for securing Ellucian’s software products and cloud services.

Read full bio
Other articles by Josh

Products & Services

Ellucian Ethos

Connect people, processes, and applications across your institution with the higher ed platform.

Read More
Managed Services

Strengthen your strategy and execution for improved institutional performance.

Read More
Ellucian Cloud

Say hello to the cloud built for higher education. Ellucian Cloud Solutions and Services are designed specifically to help higher education institutions modernize their systems without disruption to help you solve our toughest challenges.

Read More

Related Content

Information security essentials for higher education
eBook
Information security essentials for higher education

Learn how to safeguard the integrity and availability of your systems and data with these key infosec tips.

Dive Deeper
Solution Sheets
Solution Sheet
Ellucian Ethos Identity
Dive Deeper
Insights - It and security intellectual capital
White Paper
The right security framework can save your institution

Choose a security framework to protect your intellectual capital and avoid a financial or PR nightmare.

Dive Deeper

Get Started Today

 Connect with us
 Schedule a demo
Home Close