Bursting with personal information and financial details for students and employees, as well as valuable research information that could result in financial loss if stolen, Universities are seen as having lax systems and an abundance of reward.
Cybersecurity red teamer Andrew Constantine has worked with leading corporate organizations to enhance their posture using cyber-attack simulations. He's founded CIO Cyber Security, a private advisory firm working with industry leaders, and has also authored "The CIO Solution Book."
Through all of his work and research, Constantine says time and time again, it's the same few areas where higher education institutions let themselves down.
1. IT and Security Team Visibility
They can't control what they can't see. Quite simply, no visibility, says Andrew.
"How do you protect assets when students bring in their own equipment, and how can you maintain applications and external devices brought in?" he asks.
"For many leaders, the biggest threat indicator to the organization is identifying what devices, services, programs, applications, and 'things' are running on their assets. Being specific and conscience of imminent threats, understanding the risks, and building a mitigation strategy around it is key. "
He says that understanding where a threat could come from and building a game plan on preventing it can be tricky when a university is an open playing field, and students use their own devices. Since student activity can't be monitored, in most cases, ﬁrm policies and procedures outlining what students can and can't do and having them sign off on those requirements could be an excellent first step in beginning to eliminate the threat slowly, but surely.
"A critical response for a lot of security leaders is validating where things are in terms of data," he adds, saying it's essential to consider where it's stored, how it's monitored and managed, and who has access to it.
"From there, formulate a road map to understand how it's accessed both internally and externally and build a safeguard to protecting those assets."
2. Executive Buy-in
The second pitfall? Educating and getting buy-in from boards and leadership teams.
"It's still one of the biggest challenges facing CISOs today. Boards, chairmen, and CEOs ultimately need to accept the business risk for cyber and understand it's much bigger than 'IT' and a soloed approach, which is usually the case."
Andrew says a collaborative approach is helpful here. Speaking with the relevant players in a non-security frame of mind and addressing things like business risk and financial loss could be the best approach. By bringing everyone together to speak freely about their challenges as the CFO, CEO, and CISO and identify ways to overcome them, it can foster trust between CEOs and their CISOs, security counterparts, and vice versa.
"Once the entire team understand their challenges and risks, it makes things easier to implement and dissect," he says, adding that lack of education and securing the much-needed buy-in from executive leadership teams is the fundamental reason most breaches occur.
"How would you implement solutions when there's no clarity and vision?
"CEOs are unaware, boards are unaware, IT and security teams are unaware, and then they realize there's a breach or attack, often too late. So they're in a reactive state wanting unrealistic changes and outcomes that aren't feasible. Security and technology teams are then pushed with changes and outcomes without proper planning, measures, and countermeasures because if this reactive state, thus leading to confusion, dismay, and, unfortunately, breaches."
He adds that inadequate resources also play a considerable part as CISOs and security leaders typically only receive a small budget to spend on technology. Even today, cybersecurity and associated technology are perceived as an expense over an essential until a breach occurs.
His solution? Be resourceful.
"There's a lot of commercial products out there that couldn't do half the things free or open-source products can."
He says it's about knowing where to spend money resourcefully. Where to allocate funds to help drive and increase operations, productivity, and make things easy for staff and students.
"Here is where you shine. You work with the business units, so you aren't seen as a threat or a person who implements controls and creates barriers. Rather a person of change to help the team grow better and faster, not creating unnecessary products and apps that cause confusion for staﬀ members who will then bypass the controls that are implemented."
Simply put, wasting money on a security project that nobody knows how to use or makes people's jobs harder isn't money well spent.
3. Unrealistic Expectations
The third downfall he says is unrealistic expectations. Too often, leadership teams, management styles, and business environmental factors have unrealistic implementational needs or project-based requirements.
"A recent one I had was to have an entire VPN solution built in two days and migrate their existing user base of 1200+ users globally, decommission their old legacy system and ensure the new one could withstand the load, the security and of course, to work.
"In a perfect world, this would take a few months. Speak with the service providers; getting IP addressing schemes could take sometimes a few weeks from the vendor let alone two days for an entire solution. Raising some highlights on concerns, risks, exposures, and having a migration strategy for a response ready to go is the game-plan."
4. Penetration Testing
Lastly, Andrew says the annual penetration test can often lead to disaster.
"Doing an annual or quarterly penetration test is superb and very much needed, however in most instances, a penetration test doesn't fully test the nature of a cyber-attack. Invest some time and resources exploring attack simulation scenarios. Running combat attack scenarios, data loss prevention simulations, SIEM simulations, threat management simulations, and stakeholder communication simulations.
"Running a simulated cyber breach response is key. Unlike a penetration test where the scope is limited and only due to the nature of the attack, which is predefined with do's and don'ts, seek to do a simulation of an attack. This is conducted as a real-world attack simulation," he says.
No rules, just the objective.
"For example, compromise the CEO's laptop and exfiltrate data found on their desktop could be a scope. The simulation then involves an 'any measure' response. In other words, do anything and everything.
"A simulation will measure an organization's response like decision-making processes, risk assessment, innovation, gamelans, and their teams. A true form to tweak, measure, and understand how the organization would react, identify, and remediate a true nature attack."
Like with most things, Andrew says preparation is essential, and running simulations will help form and mold the best methods to adapt and respond.