As major corporations spend millions on security infrastructure and applications, smaller institutions with limited budgets and resources can find cybersecurity challenges daunting at best. A small nonprofit university's experiences offer another option: developing a sound cybersecurity strategy and implementing it in small, iterative steps over time.
Someone is sitting in the shade today because someone planted a tree a long time ago. — Warren Buffett
Buffet's idea — that we need to start somewhere and, by beginning, can influence and affect other people in the future — is an apt guide for the security challenges we face in higher education today. Cybersecurity is daunting for many institutions. Administrators understand the importance of cyber defense and the risks associated with poor solutions, but given a lack of resources, skilled talent, and leadership, what they see is seemingly impossible to get their arms around. It does not have to be this way, however; instead, we can approach cybersecurity strategy development and implementation in small, iterative movements and thereby forge immediate solutions in critical areas and influence future IT strategy and teams.
In higher education, we have critical data to steward and protect, including student medical data, credit card information, and other types of personally identifiable information. Huge challenges confront us, including the staggering amount and frequency of data breaches today. According to Gartner research, over the past year leading global companies have individually suffered sales and revenue losses of up to $300 million due to malware-based cyberattacks. Further, a FireEye trends report notes that in the U.S. last year the average dwell time — that is, the average time attackers were inside networks before being detected and removed — was 99 days. AT&T's 2017 Global State of Cybersecurity survey uncovered three major gaps in organizational cybersecurity strategy:
- More than one-quarter (28 percent) of organizations apparently view cyber insurance as a substitute for cyber-defense investment, rather than as one component of a multilayered cybersecurity strategy.
- Two-thirds of organizations (66 percent) claim their in-house cybersecurity capabilities are adequate to protect against cyber threats, yet nearly 80 percent say they were breached within the past year.
- Just 61 percent of organizations mandate cybersecurity awareness training for all employees, yet more than half admit to breaches from employee mobile devices infected with malware.
These findings are from major corporations spending millions on security infrastructure and applications. What does this mean for small institutions with limited budgets and resources? Is it hopeless? My experiences at Evangel University (EU) show otherwise. By creating momentum and remaining consistent in cybersecurity strategic development and execution, smaller organizations can implement and achieve success with effective cybersecurity strategies over time.
Overview: Evangel University
EU is a faith-based, nonprofit university located in the Ozark Mountains in Springfield, Missouri. With 2,200 students, 350 faculty and staff, and an IT team of 11, EU is much smaller than many U.S. universities. However, it faces the same cybersecurity risks as every other institution. Our organization's approach requires the same solutions, albeit at a smaller scale; like many institutions, we have very limited resources.
In 2014, EU was emerging from the consolidation of three institutions — a change that wrought confusion, low faculty and staff morale, and a stark realization of a missing IT strategy. After an initial consulting engagement in early 2014, I accepted the chief information officer position at EU, reporting to its president, Carol Taylor.
EU's cybersecurity story mirrors that of many small- to medium-sized higher education institutions. Cyber defense is not a new concept. Everyone understands the need for it, but IT executives too often see it as a daunting task. In some sense, it is comparable to the task faced by climbers tackling El Capitan in Yosemite National Park: From its base, El Capitan seems impossible and the mere thought of scaling its granite face might be exhausting at best. Where does one start? What happens if something goes wrong 200 feet up or at 2,000 feet?
The answer for climbers — and for those seeking to mount a cybersecurity strategy — is rather simple: one handhold, one foothold, one hour, and one day at a time. This was EU's approach. As the sidebar, "EU's Cybersecurity Timeline," shows, we began with infrastructure changes (new firewalls and applications) and password management adjustments to create a stronger foundation. We then added machine-learning-based malware detection to strengthen our defense-in-depth. Next, using a third party, we completed an external/internal security audit using penetration testing techniques, offering the company internal access for phishing and data accessibility testing. We plan to share the results of this testing with employees during mandatory training, which will be facilitated by a third-party security education and phishing solution.
EU's Cybersecurity Timeline
Implementing our cybersecurity strategy has taken three years thus far and is ongoing. Following is a brief timeline of our steps along the way.
Phase 1: Summer 2015
Palo Alto Networks gave us a free 30-day network scan that showed us our baseline vulnerabilities and opportunities for improvement. After research and due diligence on new firewall technologies, we selected Palo Alto's Next-Generation Firewall, which included redundant capabilities and vulnerability protection. We also switched to a distributed, segmented network scheme to limit our building-to-building risk.
Phase 2: Summer 2016
We added Palo Alto's WildFire license for additional network protections and purchased a select number of licenses for Cylance's PROTECT endpoint protection. We then purchased a network load balancer and proxy for web application protection. We revamped our password policy and increased the number of required characters.
Phase 3: Summer 2017
We added additional Cylance licenses and the KnowBe4 online security phishing testing and training software. We hired an external consultant to conduct an internal and external security audit. This confirmed that our cybersecurity strategy was on the right course and also gave us key information for future strategic solutions. Also, we revisited our password policy and again significantly increased the number of required characters.
EU's Incremental Journey
We achieved a coherent and increasingly effective strategy through a series of small, manageable steps.
We started with the end user in mind. According to a 2016 Microsoft security blog, 60 percent of all breaches originate at endpoints through compromised credentials. Indeed, as Amazon Web Services CISO Stephen Schmidt recently stated, "the biggest threat that most organizations are facing right now is a combination of excessive access for their employees and an increased focus by nation-state actors on access to sensitive information."
Managing these major risks requires many steps, but two are key. The first is to remove and/or limit admin access at all levels, including local admin rights. To do this, we had to work at the administration level to help our leadership understand the risks associated with admin rights for faculty and staff. Once the administration understood and agreed, we engaged with chairs, directors, and other leaders as needed to promote the "why" of limiting admin rights. A few faculty pushed back hard, and in two cases we compromised for the sake of their productivity (research). That said, we also stated that this was a "one shot" approach, encouraging them to follow all IT policies (including network access changes and communication proactively). This process can be painful — and many faculty and staff members may revolt — but this relatively simple, cost-free step limits your exposure across the network when an attack occurs. To succeed here, your IT team must focus on user experience and be ready to perform installs and other actions to meet users' needs.
The second step is to communicate cybersecurity information consistently and create a sense of urgency about proactive password management and phishing activities. As CIO, I began regularly communicating with our stakeholders through campus-wide emails , focus groups, and one-on-one meetings offering information about potential threats and policy updates. For example, after reading a Wall Street Journal article on how hackers were targeting schools, I sent an email about the article, reminding our faculty and staff not to click on links or open files in suspicious email messages. As the "Sample Security Email" sidebar shows, I also used that email as an opportunity to remind our community about EU's commitment to data security and the importance of individual actions in maintaining it.
Sample Security Email
Following is an example security email that I sent to our campus community after reading a Wall Street Journal article about attacks targeting schools.
Good morning EU family,
In today's Wall Street Journal, there is a short article on how hackers are targeting schools lately. In most cases, the hackers gain access through employees who "click" on a link or file attached in an email. Once this occurs, hackers deploy ransomware and other malware applications to either ransom for payment or steal data for sale on the black market.
We have done much in this area to protect EU. Our infrastructure is excellent and we have just completed an audit outlining additional ways to be safer.
That being said, EUs cyber safety is dependent primarily on each and every one of us. In today's world, we need to be overly cautious before clicking on links or files we did not expect or that seem odd. Error on the side of extreme caution and report any suspicious email or communication to IT immediately.
Thank you for all you are doing and continue to do. IT is committed to doing everything we can to ensure our data (and our students and employees) are safe and secure.
Consider this message a friendly reminder.
Thank you everyone and if you have any questions, please don't hesitate to ask.
As the example email shows, using external articles and reports helps people connect the dots between human behavior and security risks. This is a connection that people must be reminded of often. Attackers' ever-changing approaches force us to communicate with a regular cadence and strategic influence. Finally, while neither of these steps requires financial resources, together they can make a significant positive impact on your overall security performance.
Another area we focused on initially was infrastructure. Our network, including older firewall technology, had very little redundancy. We immediately purchased redundant next-gen firewall technology and network load-balancing and reverse-proxy appliances. To accommodate this, we prioritized the financial investment through our capital expenditure (capex) budget and put off some lifecycle refreshes. We made this decision and launched this initiative collaboratively with our administration to ensure buy-in on the capex prioritization, which would require some employees to retain older edge devices.
When making such decisions, CIOs and CISOs should conduct a return on investment (ROI) analysis based on institutional security strategy and goals. Such analysis is elusive for many security products. For example, you can spend $20,000 on an endpoint protection application and not be able to monetize the ROI. However, having no endpoint protection could result in hundreds of thousands of dollars in penalties and fixes.
The key in any ROI analysis is asking the right questions. For example, in trying to choose between two threat-detection applications we asked the following questions:
- What feature sets are available, and what do we need (machine learning, analytics, and so on)?
- What is the projected impact on threat detection?
- Can we start by purchasing a subset of features and a particular number of licenses to protect our most vulnerable systems?
We made our decision based on one application's predictive analytics and artificial intelligence capabilities, and we purchased a set of licenses for it to protect our most vulnerable systems. The chosen application fit our needs, and its ROI was within our managed-risk acceptance. In the budget cycle that followed the purchase, we added additional licenses, and we plan to double our licenses this year.
In considering multiple products, we realized our core need was for predictive capabilities through machine learning, with automated quarantine and script-control features. Your organization might have different priorities. The key here is to understand your core needs, complete an ROI analysis, and, if necessary, implement the product over a few budget cycles to spread the cost load. Another key point? Get started. Many IT teams make the mistake of waiting until they have all of the resources they need to implement a full solution. In most cases, getting started in small increments works effectively.
Currently, we are actively pursuing multifactor authentication (MFA) on all critical servers and on selected applications. We are also in the middle of Windows 10 deployment; it will let us use security upgrades and begin looking at easier MFA for broader applications.
We recently contracted with a third-party firm to conduct a full cybersecurity audit, including external and internal penetration testing and specific phishing campaigns. The exercise went extremely well; our overall organizational performance was successful, but we did uncover some exposures in both applications and the number of people who were fooled by a phishing test.
Despite the exposures, we consider the audit a success in that we intentionally took action to find gaps that we can fix before an attacker exploits them. Although many reasons exist for not doing an independent security audit — including fear of what might be found, vulnerability, costs, and leadership buy-in — failing to do an audit can be a fatal error. By managing the audit, you discover your vulnerabilities and mitigate them before a real event occurs. Further, audits are relatively inexpensive and give your IT team significant data and information on next steps and how to allocate resources.
Raising Security Awareness
In its 2017 report, Three Critical Factors in Building a Comprehensive Security Awareness Program, Gartner cited engaging education, attack simulations, and pervasive communications as essential. Engaging education requires IT teams to ensure that faculty and staff stay interested in security awareness. Teams can do this by using reinforcement tools, sharing data and trends, and helping the campus community understand why security awareness is critical for the institution. Many faculty and staff do not realize the financial and reputational impact a data breach event can cause, including how it can impact enrollment and alumni/donor giving.
The second factor, attack simulations, is self explanatory. Effective security awareness training must include simulated attacks, such as through phishing emails and USB insertion. These simulations reinforce behaviors, while also exposing vulnerabilities in a "safe" environment.
The third factor, pervasive communications, is vital to security awareness success. No "one-size-fits-all" communication exists for institutions. Each institution's communications are shaped by culture, change adoption, and other influences. The key is finding the right balance of reinforcing good behaviors, offering incentives, and managing gap improvement.
Today, many applications — including field leaders Wombat Security Technologies and KnowBe4 — offer services that address these three critical factors. Although purchasing such services is not necessary, they do make it easier for IT teams to effectively manage security awareness with fewer FTE required. With the application we chose, for example, our first test of phishing communication using Facebook terminology and branding resulted in 15% of our users clicking on the embedded link in the email. Clearly, this was an educational moment, and our efforts to deploy and improve our training are ongoing.
We also developed a new incident-response plan using benchmarking from the EDUCAUSE Cybersecurity Program, Gartner, and other institutions of various sizes. Thus far, we have completed a table-top exercise with the plan and will continue to refine it through exercises. Such a plan is another critical step in a multilayered security strategy that requires relatively few resources beyond time.
Our experiences at EU have resulted in several important lessons for implementing cybersecurity in resource-constrained organizations.
Research, Benchmark, and Motivate
Clearly, implementing a cybersecurity strategy is an urgent matter, but taking the time to undertake research and benchmarking can actually save you considerable time.
In our case, taking advantage of EDUCAUSE resources — including its comprehensive Information Security Guide — along with Gartner resources, NIST's Cybersecurity Framework, and discussions with CIOs in multiple industries sped up the development and implementation of a cybersecurity approach.
Developing a successful approach requires that you understand your vulnerabilities and gaps, and the potential reputational and financial impact of a breach. Sharing this information with your administration and board of trustees can help facilitate forward movement and needed change.
In his essential book on change management, John Kotter offers eight major steps to take in leading change.1 The first step is creating a sense of urgency. IT teams do not typically do this well, but understanding your vulnerabilities and their potential impact can give you the data you need to create this urgency. However, it must be authentic, simple, and conservative. Many IT teams use hard-to-understand language and/or come across as car salespeople when trying to gain resource approvals.
Create a Simple, Incremental Strategy
Once you understand your vulnerabilities and gaps, it is time to develop the strategy. Institutions face limited resources and shrinking technology budgets. As a result, some IT teams wait for resource approval before developing strategies, while others assume resources will not be approved, so why bother.
All IT teams should be required to develop a cybersecurity strategy, because doing so builds credibility for your resource needs and gives administrators and trustees a path to better security. The strategy should be simple and use small steps to show progress. This approach also accommodates capital expenditure limitations. All this is certainly not rocket science; institutions need not wait on a multimillion-dollar solution when a hundred-thousand-dollar solution can be done sooner and fill many gaps.
Engage Campus Leaders
As many articles and conference discussions note, IT teams and their leaders must do a better job of collaborating across campus. As Shannon McMurtrey, cybersecurity expert and professor for management information systems at Drury University, noted to me in a December 2017 email:
"Recent breaches demonstrate how much opportunity for improvement remains in the area of cyber security for organizations of all sizes. The area of greatest opportunity is, without a doubt, leadership. We need leaders who work across the organization to address cyber-risk and engage senior leadership in the conversation. We need more educational institutions focusing on cyber-risk so that our next generation of leaders are prepared to understand and mitigate the risk."
IT must build trust by delivering excellent experiences and making innovative decisions. In the recent book, Hit Refresh, Microsoft CEO Satya Nadella and his colleagues state that, while no formula exists for producing trust, if one did exist it might be something like: E+SV+SR = T/t, or empathy + shared values + safety and reliability = trust over time.2 To successfully build trust, IT teams must learn about other departments, use empathy, and identify and align with shared values. IT must also provide safety and reliability by encouraging a culture of active listening and feedback loops while also providing world-class service that builds credibility and trust. An old adage says that performance buys you freedom. That freedom includes better relationships.
Given this foundation, IT leaders can forge solid relationships with other leaders across campus and begin to discuss cybersecurity's importance and how it affects leaders and their students. It is also important to ask your campus leaders how you can help them feel secure with their data and technology. The key in all cases is to share knowledge without coming across as arrogant or indifferent to other people's needs.
Educate — Now and Tomorrow
We must do more to educate our campus communities about security. This, too, requires balance. Too much education, and people can grow weary. In addressing breach fatigue and 2018 security trends, SpiderOak CEO Christopher Skinner noted the following:
"A real problem with all the bad news we see about hacks and leaks and breaches is that we're becoming desensitized to them. It is easy for employees to get complacent, and the consequences of this can be extremely harmful to a business. Even upper management can deprioritize security when trying to get out a release or an update before an important sales deadline, and CEOs and boards need to make sure that no corners are cut that can put the company at greater risk. Ultimately, cybersecurity is going to be only as strong as the top of the house makes it."
Still, with too little education, staff and faculty might lose focus. The key is to vary how we deliver education. Publications on trends, online learning, communication via email and social media, town hall events, and field trips to other local institutions to benchmark security practices can be effective. The key is to begin today. Simple emails explaining security terms and security's importance go a long way in building community knowledge.
Communicate Often and Keep It Simple
On many campuses, the IT team fails to communicate well — if it communicates at all. As with education, communication requires careful balance (to avoid fatigue). It also requires the use of simple language; use too much technical detail and eyes will glaze over or fingers will hit delete. At EU, our IT team has found success using the following rules/processes for communications:
- Every communication must have a why (a purpose) and give clear, concise information or direction. When appropriate, communications should include data, results, and specific information.
- Keep communications as short as possible. Say more with less.
- If action is required, make that action clear.
- Examples and stories resonate more than technical jargon.
We also developed a simple communication plan that we use with every IT initiative, including cybersecurity. The following plan ensures that we will continue to build trust with our community while delivering pertinent information on projects and initiatives:
- Project announcement/awareness. We use campus-wide email and Facebook's Workplace postings to publicize high-level information on the project, its goals, the EU benefits, and the timeline.
- Project updates. Our cadence here depends on project length. For a multimonth project, we send communication (again via email and Workplace) at least once a month to publicize progress and short-term wins (such as completed installs).
- Project completion. When projects are complete, we announce that fact, along with any results to date and expected ongoing results.
- Stakeholder communication. Stakeholders include anyone a project effects (upstream or downstream) along with key leaders and administrators. At the start of a project, we conduct a stakeholder analysis to identify these important people. We then create a plan to communicate with them about the project and its purpose to increase their investment and project support.
- Ad-hoc communication. These ad hoc communications, also sent via email or posted on Workplace, are typically based on external factors (such as a security breach announcement at another organization) or on new information that is important to the community.
A Journey Ongoing
Our journey at EU is far from over. Among our next steps are continuing to train and educate our workforce through phishing tests and courses, testing new applications in threat detection and vulnerability management, and looking at the possibility of joint collaboration with several larger institutions to leverage expertise and technology. Clearly, the cybersecurity journey is never really completed. As technology continues to innovate and attackers and their strategies evolve, our journeys will continue and progress. That's the point: Always moving forward.
- John Kotter, Leading Change (Boston: Harvard Business Press, 1996), 23.↩
- Satya Nadella, Greg Shaw, and Jill Tracie Nichols, Hit Refresh (New York: HarperCollins, 2017), 181–182.↩
Gary Blackard is the Chief Information Officer and VP of Strategy and Innovation at Evangel University.
© 2018 Gary Blackard. The text of this work is licensed under a Creative Commons BY 4.0 International License.