Colleges and universities have always been attractive targets for hackers. While threats on the healthcare industry and corporate businesses account for a higher percentage of data breaches, the advent of online-learning models to support pandemic safety measures, have revealed a growing number of attacks on higher education. Schools collect sensitive data about students, parents and staff including financial and health information, and research institutions compile tons of critical information often communicated to government entities and healthcare organizations. The sensitivity and quantity of data collected and stored by schools lead to a major compliance challenges.
Compliance Regulations for Higher Education
The wide range of technical responsibilities required to keep a campus network running begets a broad set of compliance requirements. The Family Educational Rights and Privacy Act (FERPA) dictates that educational institutions have to maintain the safety of student records or face penalties like loss of government funding in the event of a data breach. Payment card systems fall under the Payment Card Industry Data Security Standard. Research facilities working alongside government partnerships must contend with the Federal Information Security Management Act. Medical records entrusted to these schools have to deal with HIPPA requirements. It’s not easy to meet all of these compliance goals when university security teams are understaffed and underfunded, but the security-skills gap is not a new problem. The risk of cybersecurity attacks grows as the traditional network perimeter vanishes.
The Vanishing Network Perimeter
The network as we know it was starting to vanish long before COVID-19 induced the proliferation of remote working and learning. Critical data students and faculty need for productivity has moved to the cloud along with the demand that it must be accessible from any device or location. Security strategies relying on firewalls and secure web gateways within a consolidated campus, simply won’t cut it in the new world. They must be supported with endpoint protection and identity management solutions.
The Buzz About Zero Trust
In a post-perimeter world, endpoints can no longer be protected behind traditional network security infrastructure, which makes the endpoint the most vulnerable and exposed attack surface. A Zero Trust environment must be upheld to protect these endpoints wherever they are. The Zero Trust access model was created by an analyst at Forrester Research a decade ago. The concept stems from the idea that no activity or user, inside or outside the network, should be trusted. Many next-generation security products, like active EPP (Endpoint Protection Platform) and EDR (Endpoint Detection and Response) from SentinelOne, have adopted a Zero Trust methodology. When you look at the kinds of vulnerabilities that arise from online learning, social engineering, and insecure home routers, these next-gen products are the kinds of tools college security administrators need to match an expansive threat surface.
Centralized Identity Access Management
The major architectural shift of applications out to the cloud has made identity access a crucial component of a modern infrastructure. A permissions-based access management tool should be able to secure authentication by utilizing user behavior to identify current and historical access requests from registered devices across multiple locations in order to deny or approve logins. Volta is partnered with IAM (Identity Access Management) company Okta. Okta’s IAM product creates one central point of truth, logically organized around the user, so that one constant of identity is the hub for credentialing application access. Identity management and endpoint security must work together so that students can authenticate and access university resources or be denied authentication based on anomalous behavior.
Start with Security Awareness Training
Of course, human error is always the greatest vulnerability in the social engineering age. One of the easiest and least costly defenses to combat cyber criminals is internal security awareness training. Consider implementing training modules for students and staff so they can become more educated on attacker tactics. Training tools like KnowBe4 can automate regular phishing email tests to edu addresses to track how the community is interacting with suspicious content, and then send reports to individuals who are not exhibiting the smartest email behavior. Check out Security Awareness Training from Volta and KnowBe4.
The perimeter has fully disappeared and the threat surface area for higher education has expanded massively in the era of social distance learning. Colleges and universities are going to have a hard time facing the increased frequency and severity of cyber attacks alone. Legacy anti-virus and traditional network security cannot withstand the evolution threat vectors on the workforce. Luckily there are next-gen solutions offering a range of products that integrate easily to provide the modern security posture schools need to protect the data entrusted to them while meeting regulatory requirements.