Campus cybersecurity teams face a broad range of challenges today.
View Transcript
Cheryl Washington: Let's just suggest that there are a litany of issues facing higher education when it comes to cyber security. First and foremost is the sheer volume of digital assets that we collect, produce, distribute, share, manage. Many of those assets have extraordinary value to individuals not only within the education community but outside the education community. The sheer volume of intellectual property that we produce is not just valuable to those of us in higher education clearly, but also to nation state actors.
Cathy Bates: Really the bad actor attacks and the threat environment that's out there, the security operations teams at our universities are very busy because they're just continually being subject to attack and I think just trying to make sure that we're staying on track with that is very, very difficult.
Cheryl Washington: The ongoing threat landscape is growing more complex. Threat actors can actually buy attack kits on the black market for pennies on the dollar and do extraordinary damage to us.
Matt Morton: And what's happened is is that the bad guys have shifted from wanting that kind of information to sell for identity theft and they've shifted to a more nefarious kind of role and what that role is is general information about you specifically. And thus the rise of the chief privacy officer, right? So that information they're using to say tip elections or to go after even particular issues. That kind of weaponization of social media like we saw in 2016, is a paradigm shift.
Alan Bowen: Internet of things devices are great, but they're really pushing the barrier far more towards convenience over security. When the internet of things devices are used by individuals that cannot or won't patch and apply security updates. In many cases a lot of the vendors don't make them available to consumers just because the device is so inexpensive in the first place. So those devices are on the internet for convenience purposes and our students want to control their electric lights. They want to have electronic doorbell on their dorm room or a video door bell and these are devices that really are outside of the administrative domain of our control and we really don't know what they're doing on our network. So we can mitigate that risk only to a certain extent, but they can also be leveraged for distributed denial of service attacks.
Cathy Bates: And the other thing on the information security side that just is continuing to grow is our compliance obligations. We're just starting to see every year another step up in terms of a new obligation that we have when it comes to compliance. You know whether it's our local compliance on our campuses or with our board of trustees. To our state and our state auditors and our regulatory compliance and then the national level with all of the different compliance that comes there. It just is continuing to grow and both the security operations area with that wide spread threat actor and threat vectors that come in, as well as the compliance just keeps those departments enormously busy.
Cheryl Washington: It's growing increasingly more difficult to hire security professionals, to get them properly trained, to retain them in our environment. When you compare the need for really qualified people with the threat landscape, we have a very complex task to work with.
Alan Bowen: Additional security threats for hire ed include password reuse. That's a big one in that I may choose a really strong password but if I reuse it on 10 sites, if it's breached on one site, I can use it on all the other nine and that's a huge issue. Really it's a security awareness education piece that we don't really make it easy for our users. Historically for years we've chosen passwords that were hard for users to remember, but easy for computers to crack. And especially as computing power increases today we really need to have users understand why they need a better password to prevent these kinds of attacks.
Matt Morton: The other one I'd say is cloud. You know from a technical perspective the move to the cloud is freeing. It's going to really enable a lot of optimization of resources in a lot of institutions. On the other hand if you don't do it smartly, we're all going to suffer some massive breaches at the end of it if we don't do it in a way that makes sense.
Cheryl Washington: The larger you are, the more you're scoped to contend with research as one of your core missions. The more complex you are. It's not just teaching and learning, it's research, and it's also community service. Which means we're an open environment. We welcome people from all over the world. And yet it is highly likely that someone is going to cross our path who may not look at us as their best friend so to speak. So we have to worry ourselves about some of the potentiality of a threat actor crossing our path because they took advantage of our open environment. am I changing the experience in the business?