Security First, Compliance Always—Even during a Pandemic!

As I write this article, we are experiencing the COVID-19 pandemic. Read the entire article for some relevant analogies.

All of us who are fortunate enough to work in the information security industry know the old saying, "Compliance does not equal security."

The statement is true—attackers don't really care if you've checked all the boxes for whatever compliance requirement you have (PCI DSS, HIPAA, GLBA, etc.). Colleges and universities invest a great amount of resources to meet compliance standards that may help to spot gaps in their data security. Yet some organizations still fall victim to data breach, despite meeting all compliance checks.

When this happens, it's likely that the organization was more focused on avoiding penalties and being "compliance first" rather than developing strong cybersecurity. These organizations misunderstand the purpose of these regulations and interpret them as a checklist with step-by-step directions for a solid cybersecurity posture. Regulations are not intended to tell organizations how to structure their cybersecurity efforts. Rather, they are intended to be used to meet the requirements of a third party to safeguard data important to them.

The Higher Education Challenge

Due to the complexity of operations and the open access nature of higher education, colleges and universities face unique exposures related to the internet and information security and privacy and represent a very lucrative target for cybercriminals looking to take advantage of extremely low-hanging fruit.

Some Definitions

Compliance is determined by governmental, nonprofit, or industry groups and serves as a generic blueprint for the security of certain kinds of data. Higher education is one of the most regulated segments of our economy. The regulatory organizations that govern compliance standards issue them as a minimum bar for security. Enforcement is established through audits or assessments that are either self-administered or coordinated by a third party.

Security is the sum of processes and features safeguarding your data. Effective security requires threat identification through proactive risk assessment and threat intelligence as well as active monitoring and analysis of your network environment.

Security First!

A sound cybersecurity program is built on proactive risk assessment and threat intelligence and consists of a mixture of the infrastructure, policies, and management of your environment. You can build a secure infrastructure, but if it doesn't have actively vigilant layers, your data is at risk. As a security measure, many organizations are implementing AI-based protections (meaning the artificial intelligence is looking for abnormal behavior) against zero-day vulnerability attacks. If the AI finds something, most systems are configured to alert humans, who then decide what to do.

Threat Landscape Monkey Wrench

What happens, though, when something in the threat landscape suddenly changes? Here comes the COVID-19 analogy. Let's look at what is happening right now. Each year, the WHO predicts (in reality, guesses) which handful of flu virus strains will be the most problematic and develops a vaccine accordingly (i.e., a proactive security measure). But what if the scientists are wrong? What if the virus evolves? And, more specific to today's situation, what if there is an entirely new strain with a pathology that no one has planned for? The coronavirus 2019 (COVID-19) is now a pandemic, even though we had excellent early warning indicators to help prevent the virus's spread.

It is not a big stretch to compare this situation to what can happen as a result of a zero-day vulnerability attack that can bring an entire network down. How many cyberincidents are actually caught by one of our layers of defense, but staff fail to deploy countermeasures (e.g., Target, Equifax, etc.)? How many times are the signs there, but no one is watching for them or we don't react because it's inconvenient? Compliance is slow. Security incidents occur rapidly. We wake up to a new threat landscape every day. Effective security is the sustained ability to pay attention. Actually, cybersecurity is a three-part process:

1. Security is the sustained ability to pay attention.
2. Compliance is the ability to prove you're paying attention.
3. Audit is getting someone else to agree that you're paying attention.

Cyberhygiene

If you want your institution to achieve sound cybersecurity in today's threat landscape, you will need to adopt good institutional cyberhygiene strategy. This means protecting and maintaining systems and devices using cybersecurity best practices for every device that can connect to the internet. In short, cyberhygiene encompasses your hardware, software, and IT infrastructure along with employee security awareness training. This complete approach toward protecting your institution's sensitive information can provide you with immediate and effective defenses against cyberattacks.

Much like an individual engages in certain personal hygiene practices to maintain good health and well-being, the following cyberhygiene best practices can keep institutional data safe and well protected:

• Scan network devices for vulnerabilities
• Patch equipment with vendor updates
• Review and analyze historical data and trends
• Establish and follow a set network and security coverage schedule
• Document a common set of practices to establish your cyberhygiene policy

Developing comprehensive cyberhygiene procedures is a must for today's enterprises. When carried out in conjunction with robust, enterprise-wide security practices, sound cyberhygiene practices aid in maintaining a sound security posture.

Responding to COVID-19: Work-at-Home Cybersecurity Issues

With the spread of COVID-19, many colleges and universities are requiring, permitting, or recommending remote work. However, rapidly transitioning large groups to a remote workforce model comes with several significant challenges to IT teams, the network, architectures, and even vendors. At the same time, cyberadversaries are not taking a holiday and are implementing new tactics and techniques designed to exploit the growing wave of confusion and chaos.

To guard against these threats, consider:

• Requiring all devices to be equipped with institution-provided security software and the latest manufacturer software updates prior to permitting access to any remote systems
• Requiring multifactor authentication on each log-in to your portal
• Only allowing remote access through a virtual private network (VPN) with strong end-to-end encryption
• Prohibiting working from public places, such as coffee shops or on public transportation, where third parties can view screens and printed documents
• Prohibiting the use of public Wi-Fi and requiring the use of secure, password-protected home Wi-Fi or hotspots
• Imposing additional credentialing with respect to the ability to download certain sensitive data

Incident Response

While colleges and universities are working hard to protect the health and safety of faculty, staff, and students, incident response requirements should remain in effect. All should be reminded that if they become aware of a possible data security breach while off campus, they should inform the designated response team member for such notifications. Additionally, each institution's data breach response team should be reminded that due to the possibility of increased risk during this period of time, their attention and resources may be called on.

Final Word

Compliance isn't an end-game scenario, and completing an audit (e.g., PCI DSS, GLBA, and HIPAA) isn't a guarantee of safety against the bad guys. So, while compliance is a single point-in-time demonstration proof of meeting a third party's interests, security is an ongoing, everyday effort. Your security program is your day-to-day protection of the sensitive information that you maintain. Beyond its role with compliance, security needs to be seen as a dynamic organism because it's protecting against constantly evolving threats.

Ron King is President of CampusGuard.