Takeaways from the 2024 Horizon Report, Cybersecurity and Privacy Edition

Nichole Arbino

All right, hello everyone. Today we are talking about the 2024 Horizon Report Cybersecurity and Privacy Edition. My name is Nicole Arbino. I'm a Senior Program Manager here at EDUCAUSE and I am joined by some wonderful folks to talk about the report. And Jenay, I will kick it off with your introduction. 

Jenay Robert

Alright, hi everybody. I'm Jenay Robert. I'm a senior researcher here at EDUCAUSE. Horizon Report is one of my favorite projects to work on throughout the year. And yeah, I'm excited to talk about it today. So I'll pass it to, on my screen, the next person is Ben Woelk. So I'll pass it to you. 

Ben Woelk

Great, thanks Jenay. My name is Ben Woelk. I work at the Rochester Institute of Technology. I contributed to the Horizon Report this year and it's my first time doing that. I thought it was a really interesting experience. And I will pass it over to Nicole. 

Nicole Muscanell

Thank you. I'm Nicole Musconnell. I'm a researcher here at EDUCAUSE. I work on the same team as Janae. And I'm involved with the Horizon reports. Typically, I'm largely responsible for writing the trends section in all of the reports. And then we have Ben. sorry, other Ben, Ben Bongers. 

Ben Bongers

Ben number two, the less popular Ben. Hey everybody, my name is Ben Bongers. I work with Educause on the professional learning team as a professional learning manager. So bringing you all sorts of different professional learning opportunities, sometimes connected to these Horizon reports. So I'm excited to explore how we can bring more training and more visibility to these in different potential training opportunities for you. 

Nichole Arbino

Great, thanks everyone. All right, so this was a really interesting report to be part of putting together. And I'm interested to hear what was everybody's biggest takeaway from the . . . 

Jenay Robert

I can get started with this question. I have worked on several Horizon reports now. I've been at EDUCAUSE for I think three and something years. And to me, starting to see how privacy and security are rising to the consciousness of people across campus in ways that maybe we wish it had before, but now with the explosion of AI and people really thinking a lot more about their data being used for everything all the time. 

I think we're seeing even more awareness and interest from people like in teaching and learning and other areas where, know, speaking for myself, working at an institution, I was always aware that privacy and security were important, but I didn't really know it, you in my soul like I do now. And I think that that's some of the evolution that we're seeing and some of that expansion of awareness is reflected a bit in some of the trends that come out in this report and also in some of the scenarios. So I'll leave that as a teaser for something to discuss later and see what everyone else thought. 

Ben Woelk

Yeah, I'll go ahead. I'll... Sorry. 

Nicole Muscanell

No, no, let's let Ben go next. 

Ben Woelk

Let's make this hard for Kelli to edit. Anyway, for me, as I mentioned in the intro, this is my first time doing participating in the report. It was really interesting because there was a very capable group of contributors to the report and everyone had really good information to share. What strikes me about it overall is what a snapshot in time it is, because we did this over a couple of month period, maybe three months. And it's really relevant for those three months. It will be really interesting to see how it looks a couple of years down the line when we're trying to look at signals and trends and determine where things are going. 

Jenay Robert

Actually, before we all kind of answer this question, it might be interesting to let the audience know a little bit more about because we're all four out of five are from educause. And so the question is, what was Ben Woelk’s role on this? And not everybody realizes that the large process that happens behind the scenes with all of our Horizon reports. So if it helps, especially for those listening or watching, that every Horizon Report is a process where the researchers bring together a panel of experts from actually across the world and people working on the ground. So it's not our opinions at EDUCAUSE that we're writing about in the Horizon Reports. We're collecting data from this panel, and then the panelists will . . . vote on the various trends and key technologies and practices, and our panelists also give us a lot of input for what those scenarios look like in the report. So this entire report is the voice of our members amplified, and I think that that often is not something people are aware of. So just to kind of clarify what you're, and if you want to add anything, then feel free, but other, you know, I just wanted to kind of clarify that for anyone listening. 

Ben Woelk

No, Jenay, that's a really good point. So, and I don't have the total number of participants, I'm sure Nicole does, but we were all, we're all practitioners in either cybersecurity slash information security and or privacy across higher education. And I think we had a few members who were not part of universities and colleges. That's what I've seen typically. It was an overall self-selected group, there was a call for volunteers to participate in it and a number of people answered that call. It was pretty, I would say across the profession in terms of the cybersecurity and the privacy side, I think it was a pretty good cross -section of technical people, non -technical people, chief information security officers, chief and chief privacy officers, awareness and training people, all sorts of different areas. So I think it gives an opportunity to give a really, even though we're all associated with higher education, I think it gives a really good opportunity to provide different vantage points into what we're seeing happening.

Jenay Robert

Thanks for that additional context. Yeah, so I don't know, anyone else wanna talk about their takeaway? Sorry, I derailed us there. I just felt like it was a good time to clear that up. 

Ben Bongers

Okay. 

Nicole Muscanell

No, I think that was a good spot to jump in with that, Janay. I was kind of revisiting the report and just trying to think, okay, like broadly looking at all the trends kind of together, what's a takeaway that I could, you know, that wasn't just narrowly related to one of the specific trends. And so what we did see is that there were several trends that were showing, we're seeing, and arise in risks and threats and also different types of cyber attacks in higher ed institutions. And what I kind of realized going back and rereading what I had written to jog my memory, there's several different spots where kind of one of the key implications is that cybersecurity and are really gonna need access to ongoing professional development opportunities. So upskilling and reskilling because we see that technology is changing so fast, especially if we're talking about AI. The types of threats that are out there are getting increasingly sophisticated. Threat actors are always trying to find work arounds or new ways to target people. 

So I think one of the biggest takeaways is that, you know, for the foreseeable future, I think it's going to be really important for higher ed institutions to make sure that their security and privacy professionals have plenty of opportunity and also time to complete these trainings, not just one time, but, you know, probably on a continuous basis so that they can really stay up to date with the field and also stay ahead of the threats that are emerging. So that's my main takeaway from the trends section. 

Ben Woelk

And I want to comment on that briefly. The formal training stuff is important, but I think every bit as important is that network and those connections to be able to talk to other universities and colleges and see how they are approaching some of these issues. To me, is honestly has been one of the biggest pluses of my EDUCAUSE involvement is establishing those connections. And with this report and the frequency of how often it comes out, we're talking about generative AI and it doesn't look much like it did four months ago at this point in time. So I think even the training is important, but I think the constant communication about new things happening is important also because I think the training is going to behind at least these newer developments. There was also a conversation about though building up the workforce in cybersecurity and privacy and higher ed. And I think that training part is really critical for that because part of what we identified is that people are coming, since loosening the amount of demanded requirements on different positions that we list and trying to make them more open and accessible, especially to a diverse job seeking market, rather than having a bunch of certification requirements that basically you'd need to be in the field for about ten years to even go after some of those. So I think that is part of what came out of it also, but Nicole absolutely agree about the need for the keeping up with things. It's just a variety of ways we're going to have to do it, I think. 

Ben Bongers

One of my main takeaways reading through the report was I actually was thinking about the EDUCAUSE Top 10. The Top 10 report that we put out every year for things that higher ed folks should be thinking about for the next year. And cybersecurity has been number one for the last several years on that report. And so my main takeaway is going to be a question, which is mostly how does this report bring a newer lens to an important priority in higher education that has been at the forefront of even our EDUCAUSE Top 10 for the last several years? I'd be curious what the group thinks about that. 

Nichole Arbino

I think my answer to that would be just the velocity of change in cybersecurity right now with the proliferation of AI and how popular it's becoming. We've got students wanting to use it and faculty wanting to use it and threat actors wanting to use it. I would be curious to look back at Top 10 from last year and see how we talked about cybersecurity and privacy, the Top 10 issues for this year and see how much, how the way we talk about it has changed from just such a short time ago into this report. I think that velocity of change is really probably concerning for institutions, but also really at EDUCAUSE gives us this big lift of like, how do we help institutions get what they need and connect with the right people to make sure that they're prepared for all of this change that's coming at them? 

Nicole Muscanell

And I don't know this off the top of my head. This is probably, I should probably go back and read Top 10. But does Top 10 really do as much of a focus on like the foresight aspect and us like really delving into the future of what cybersecurity and privacy is going to look at over the next decade or so? Because if I'm recalling correctly, I feel like we have that stronger in the Horizon report. And so that's something that would kind of put a unique lens on it and would be a little bit different than what Top Ten does. 

Jenay Robert

Yeah, I think I was going to kind of touch on something along those lines. For me, the Top 10 is always this incredible resource of here are these big trends we need to be looking out for. And I really love being able to go deeper in the Horizon reports for any given topic on not only deeper in the ways that Nicole was just saying, where we think, okay, what are the potential impacts? What are all of the different scenarios that we can imagine for the future, but also thinking about those overarching social, technological, environmental, economic, and political trends that will then impact the future of this specific area. I say this as often as anyone will let me speak, which is that higher ed doesn't exist in a bubble, number one. And number two, our community has the power to create the future, perhaps not in its entirety, we're not all powerful beings, but we don't have to be passive recipients of what happens and then react to it. can think in this data informed way with strategic foresight, which is the science that the Horizon Report is based on, and we can decide how we want the future to look and then create actions to get there. 

It's definitely a slightly different take on trends, that's for sure. And I for one love especially writing those scenarios. yeah, it's fun way to think about the future. 

Nichole Arbino

Nicole, I'm glad you brought up the difference between the comparing Top 10 to Horizon Report and going back to my point about the velocity of change in cybersecurity and privacy issues right now, I wish I had a crystal ball because I'm curious in this ten-year time horizon that we talk about in the Horizon Report, what would these actually be? What will the Top 10 issues look like when we're supposed to be at this time, ten-year time horizon and how much will have changed in higher education and cybersecurity and privacy, what would be spot on or are there things that will have just changed so rapidly that were. 

Nicole Muscanell

It's going to be interesting to see for sure, because even with this report, this year's report, right? So the last, and it wasn't called Cybersecurity and Privacy, but the last Information Security Horizon report we did was 2021. So just about three years ago. And like in between these two reports, Chachibiti came along and we saw that that was a huge change and that made a big impact and is still continuing to make really big impacts higher ed institutions. So that ten year horizon, I'm sure we'll see lots of things going on. 

Ben Woelk

Yeah, it's tricky. I'm sure there will be attackers. I'm sure there will be things to protect. But I look back a little longer than ten years, but twelve years ago, phishing wasn't the thing it is now either. So that was a huge change in terms of how attackers were trying to get into networks and compromise accounts and all of that piece of it. I think the other piece that was interesting that we touched on in the report that political aspects really interesting because I don't remember. mean, the last two administrations at least have had a cybersecurity strategy. I'm not sure there was one before that. If there is, I wasn't aware of it and it wasn't promoted as well. This last year, the Biden administration has an AI governance strategy also. 

So it's going to be interesting both from the political administration side of things to see what gets emphasized and what is maybe where the government provides help to universities, but also where they're being a little bit more rigid, especially around compliance and research and things like that. And we identified things around starting to… We all know that we cannot simply attest that we have controls in place, but now we're seeing times where the government is going after specific universities and they're using the false claims act because it was really, said you had this, but you don't. And that seems to have, that's still continuing. And if anything, it seems to be even larger stakes in some ways, but ten years in generative AI, can't even hazard a guess what things will look like. I do think we're gonna see demographic impacts though we're already starting to see those in terms of especially smaller schools closing and overall college students gonna look different. 

Nichole Arbino

Ben, I think it's interesting that you bring up the political side of it. And what I hear a lot with our privacy and chief privacy officer community groups is this like what legislation is going to come out that impacts the way institutions do what they do. And there's not only the federal layer, but also the state layer. know, institutions are already working on compliance efforts with GPR and things like that. But if you know, depending on what the United States decides to do with privacy, legislation could really impact the work that our privacy folks are doing on that international piece is so interesting for me. I was at a conference in Italy last week and was talking to some colleagues over there about how they're approaching policy and guidelines related to AI at their institutions. It's a huge area of interest right now across the world really, but mostly in areas where AI is really being implemented. And so interesting to have those conversations in the U.S. versus Europe. 

They're very different conversations, you know, and this person in particular, I'm recalling a conversation where this person kind of looked at me like, what do you, like, we just look at the EU act and we like make sure we're aligned with it and then that's it. Right? So it's kind of, it's really interesting to think about how the legislation differences, but then we have to, we have to be aware of that no matter where we are, because our students are from all over the place. 

Yeah, it's just something that's very interesting to me is the international component. 

Ben Woelk

Well, even in the U.S., mean, we don't have GDPR. We don't have an overall governing privacy framework. But there are states that have modeled their privacy legislation, like California, around GDPR. So at a university with, think we've had, somebody's figuring we have students from forty-nine different states and across the world right now. We have to be concerned of all of that regulation for all of these different states because they do apply to residents of those states when they're resident elsewhere. It'd be really interesting to see what's coming out of Italy and these other countries because one thing I teach of cybersecurity policy and law class and we talked about generative AI just this week and the discussion came up, what are other countries doing? And at that point, we didn't have a lot of answers around it. 

Jenay Robert

Well, catch me at the EDUCAUSE annual conference and I'll introduce you to some of these folks that I met in Italy last week. 

Nichole Arbino

Ben, I actually have a question for you, Ben Woelk. Sorry, EDUCAUSE Ben. So I know you work, you do awareness and education work at your institution. And I'm hearing increasing conversations about this like human element of cybersecurity and privacy and the human capital is what will help us stop these issues by educating students and faculty. What do you feel like these trends are gonna, how do you feel like they'll impact the work that you're doing on awareness and training at your institution? 

Ben Woelk

It's really interesting. And I do look at it more as the managing human risk thing, but now it's probably too late to get the job title changed, but it sounds better, right? It's interesting because when I was the Cyber Screening Privacy Professionals Conference in the spring, where we had the Strategic Foresight Pre -Conference that I attended, and our overall topic was generative AI. 

And I don't remember how many attendees we had, but all but one were very pessimistic about what generative AI was going to do because of how it was going to equip the attacker. What I'm looking also around this is there's some pluses because it is really, those tools are really good at generating content and you have to do work with them, but they generate content and even generating ideas about how would I engage my community around some of these things as simple as a, we're gonna be participating in an event for new students and they're wanting to kind of do a carnival theme. What are five different cybersecurity type games that we could devise to play at that carnival thing? And the most interesting was like a whack -a -mole type thing, but we couldn't figure out how to pull that off. But that… And most cybersecurity professionals would tell you our job is a whack -a -mole game anyway. generally, Nicole, I think it goes both ways. think we've got new challenges to talk about. Honestly, we still have people falling for the same things. But the difference now is I'm expecting more sophistication from the attackers actually than I'm seeing so far around this. 

I don't necessarily think it's, I think it's going to all equal out at some point. don't necessarily know that it's going to make the job harder. More things to consider more places to tell people, no, you should not be putting private information into a public generative AI platform sort of thing for, know, because it'll use it for training. But generally it's not, I don't know for sure yet. And that's a really long winded way of saying that. 

Ben Woelk

I'm expecting to take advantage of new techniques. I'm expecting new things to help get people prepared to face. 

Nicole Muscanell

No, go ahead. 

Nichole Arbino

I've, go ahead. So my follow up question to that, as we think about the way our students, our traditional students that are 18 to 22 year old students consume and learn about this content is different than the way that faculty and staff do, do you see your strategies changing for how you educate students differing from how you educate faculty and staff? 

Ben Woelk

Yes, but figuring out what's going to be impactful and effective with the students is tough right now. We do have cybersecurity training for incoming students. So we're getting about a third of the students come as they come into that, but they don't read email very often. I mean, it's a big generalization, but they certainly see the emails for the… Administrative assistant job that's work at home for $350 a week. mean, they're very quick to answer that, but they're not seeing the same things where we're warning them that they may receive something like that. So it's interesting. It's a challenge. my take on it has always been, you need to use multiple techniques. You do have to be repetitive in your messaging because it's new audiences to some degree every year, but it's, I don't have a magic bullet with it. is just, some of us just continuing to churn through and help people and figure out where we're seeing victims and what can we do to head some of that off. 

Nichole Arbino

I know Ben and I both worked as advisors in past lives before Etica, so the email thing's little too real. 

Nicole Muscanell

I was a former professor, so yes, I'll also jump on that. And I don't want to keep putting you on the spot, you're our member here who actually, you're at an institution. Yes, you're the non-institution. You're more in tune with probably what's actually going on out of campus. But kind of following these questions. 

Jenay

Yeah. 

Ben Woelk

I'm the non-EDUCAUSE person on the thing. 

Jenay Robert

Yeah. 

Nicole Muscanell

I'm curious as to whether you're seeing, not just students, but guess faculty, staff, students, would you say that you have any sense of whether or not they're becoming more interested in playing an active role in protecting their data? Because I think we see this in this year's report, but this is something that we've been seeing kind of every year really, is that there's this trend that people are becoming more concerned about their privacy. 

But I'm wondering if on campuses we're seeing that stakeholders in general are actually becoming then more interested in playing a role themselves. I don't know if you have any thoughts on that. 

Ben Woelk

I think there's, starting with the faculty staff side, I think there is more acknowledgement and understanding that they have to play an active role in ensuring their security and privacy, that we can't do it all. But some of this gets in place by, well, if you're going to do research and you have to provide this information, you have to submit what we call an information access and protection questionnaires so we know what type of information the solution or whatever it is you're proposing is going to deal with so that we can advise accordingly. I don't know how much of that would volunteer people would voluntarily do but when it's part of the approval process it helps. The student side is really interesting because my assumption was going to be that they've just given up, you know, that everything, everything about me is out there. It's going to continue to be exposed. And I think we definitely see some of that with the students, but I do know that they are concerned. It's interesting. I don't know whether it has to do with what they're able to affect in some ways, but I know there's more interest in how will RIT use my information as opposed to whatever cyber criminal has gotten the piece of it. But what was interesting was my assumption over the last few years is everybody's gonna have given up. But in teaching that class around the cybersecurity policy and law, and we talk about privacy in there also, is that some of the students are very much, no, it's up to us. We need to make that difference. We need to figure out how to do it. We'll see what happens if it goes forward, but I think we've always got a part of the population that's energized and another part that is just kind of there in general, well past students, but across society. 

Jenay Robert

This conversation about reaching the students makes me think of the transformation scenario in this Horizon report that we're talking about where we envision this completely transformed future of higher education. And in this particular scenario, we envision that future entirely revolving around or at least having this foundational element of privacy and security education for students from kindergarten all the way through, you know, pre-K kindergarten all the way through the lifelong learning opportunities that are out there. And that's just such an interesting scenario for me to ponder as someone who's worked at an institution and, and it's a couple of, we've already talked about, we've, some of us have taught students, some of us have advised students and me thinking back in my past life, what would it have looked like teaching the courses that I taught? I used to teach like pedagogy courses, for example. If I did make sure that that was a foundational element of what I taught. Make sure I addressed FERPA, for example, even though my class was not necessarily directly related to that. What would that look like? And how realistic is it to think that perhaps not, we describe these scenarios as like the four corners of potential futures. It's not that we expect any one of these to happen and certainly not to the extreme that we presented in the report, but they're data informed ideas of extreme versions of the future. And we hope to gain some insight about what we want to avoid and what we might want to actually leverage. So thinking about pieces of that I'd love to see come to pass would be more across the, across the curriculum. Maybe it's a, maybe it's a gen ed element from now on. You have to take a course in data privacy and security or something like that. That was something that I found like a hopeful vision of the future. 

Ben Woelk

And I think one thing that I'm seeing is you have groups like ISE2, which is now really doing a lot more to promote K through 12 education around cybersecurity and I'm assuming privacy also. But I also look at the work that Anshul Reg has done at Temple where they are actively engaging educators, secondary educators, and with information about how to teach these concepts to their students, it would be so much easier if this, with people would learn this as a regular part of their schooling before they get to college. Because it's, I mean, it's like everything else. All of it says, wow, I have freedom. I'm no longer at home. All of this sort of thing. then it's like a new, I don't think the idea of getting an account compromise is a new thing when you're in college, but understanding what the impact could be is a little bit different and especially the impact on some scams and that a scam can have and things like that and how quickly things money can disappear. 

Nichole Arbino

I think it's also, thinking about how students, this idea that students don't care. Like there's like this pessimism about it. And someone had brought that up at the Cybersecurity and Privacy Professionals Conference back in May, about like, just students don't care. I don't know what to do because students don't care. And someone had brought up like, this is the generation that invented the Finsta. If you're not hit to the lingo, a Finsta is a fake Instagram account. So students will have like the Instagram that their grandmas love and follow them on, and then the one that they send to their college friends. 

And so they do, I do think there is this awareness of what they're putting out there and who they're putting it out there to, which I think speaks to your point, Ben, of, you know, there may be some pessimism about like, yeah, my information has been leaked, but I am opting to be a student at your institution and I do care about what you are collecting about me and how you're using that information about me. So I think it's an interesting, two things are true about how students perceive their data being used. 

Ben Bongers

You know, I think that reminds me of one of the other scenarios, which is the growth scenario. These vignettes at the beginning of these scenarios are really thought provoking. so shout out to whoever wrote those, or thought of those. Those are awesome. but this one for growth, it's around data health as a selling point, right? I'm trying to imagine, you know, ten years from now going on an admissions tour and the admissions guide is talking about how their university or institution has really strong data health, cybersecurity, privacy, they've invested in it over the last ten years. And all of a sudden, like the parents, the students are really impressed. And that's one of the main things that they're thinking about when they're going into the college selection process. It feels so different. 

At least for me, from what happens right now, like I don't think that that is on top of students' minds all the time. I think it's a consideration. It's an important consideration. But to have that be number one consideration feels like a different future, which I guess is the point of these Horizon reports, right? You're trying to imagine something that's different. I can appreciate it because, especially these scenarios, because Even some of our recent work at edge of cause has shown that all people, but definitely cybersecurity and privacy professionals are operating in sort of a reactive mode at times. that's in due to all sorts of things. Maybe it's workforce gaps, maybe it's staffing workload issues, all sorts of things like that. But it can be really hard when you're, you know, kind of head down working on just what's right in front of you to take a step back and think through. 

What's a strategy for the next ten years? How can we wrap our arms around this, get our heads around this? And that's one of the things that I love about this Horizon Report is it's motivating. It's a positive take at times on what could be instead of just feeling overwhelmed by shoot, like technology's moving quick. We're losing people to other industries and sectors. I guess, like we should just throw in the towel. Like, hopefully this works out. 

Ben Bongers

That's not what it's doing. I think it's motivating us to think through in an informed way. How can we actually do something like this? I know you touched on that earlier, Janay, but I love that part of the Horizon Report. I'd be curious if you all have seen some of that in your work through EDUCAUSE, as well as Ben at your institution of how students are thinking about coming to an institution and is data and data privacy part of that conversation. 

Nichole Arbino

don't know if they're thinking about it yet then. I also will say shout out to our colleague Mark McCormack who wrote the vignettes this year. They're amazing. I love reading them. But I think you're right that I'm so curious what that will look like in ten years, but especially as these threat actors are having bigger impacts and bigger breaches that have reputational impacts on institutions. I could absolutely see that becoming a reality because it's like, well, I heard of this institution. They were in the news because of a big breach. And how does that impact? You know, I think about I have a one year old and like, so because of what I do, she'll probably grow up with a healthy distrust of maybe a little bit of paranoia around cybersecurity and privacy. But how does that impact her college search when she's 18 with… 

Ben Woelk

Well, reputation is tricky, right? Because we assume it's going to have a big impact. But if you go back to some of the retail breaches, like the Target breach and other things like, or TJX, we, interestingly, Rodney Peterson, when he was at Educause, spoke at this mini conference on campus at RIT. But we had people there from TJX and our assumption was you all must have really taken a hit because of this happening. And they said, nah, sales went down for about three weeks and then everything rebounded and it's old news at this point. But I also know even looking at the large breaches some universities have suffered, if it's not something that's impacted the university critically financially and operationally, I'm not sure that, and I don't want to mention names, but if you have a prestigious West Coast institution that has had three data breaches with hundreds of thousands of alumni and students exposed, I don't think they're seeing a hit in terms of people applying. I don't know if there's anything around the giving side. That would be something else to potentially look at it too. But what I, we've seen a few, a couple of this year is smaller colleges that were not able to recover from cyber attacks at all, much less the reputational piece of it. They couldn't stay in business. 

Jenay Robert

Yeah, I think just what maybe a week ago I got another one of those letters in the mail. This happened to be from my cell phone carrier. I won't say the name because I don't know if I'd get in trouble for saying it, but they say, you know, you're sorry we had another data breach and basically just my bad. And I, I remember like kind of pausing and thinking to myself like, yeah, this is so common now. Like every weeks probably, I don't know, least certainly multiple times a year, you find out that there's a data breach with some some company you interact with and I think back to when this first started happening and you thought, my gosh, this is, I need to change providers or whatever. But now I just think, okay, this happened again. And what am I going to do? Change to the other cell phone carrier who also has had data breaches? I don't, I don't know how we're supposed to handle that as consumers but I do want to kind of plus one, the point about, like very serious financial impact or, another piece to really think about is like how might accreditors change their procedures? You know, I didn't realize it until I started working with institutional research colleagues, at, an institution, but they get, they get phone calls from accreditor, their accrediting agency, like we saw this news story about your students doing this thing and we need you to now respond to how that happened and what you're gonna do to prevent that from happening again. so, you know, thinking about the role of accreditation in the future of cybersecurity and data privacy is very interesting. And then also circling back to kind of where we started around national guidelines, you know, legal ramifications basically. 

Ben Woelk

I think the other piece to add in there is cybersecurity, cybersecurity insurance requirements, because the insurance industry can drive some of the change also. Maybe not as severe as the accreditation situation, but if you can't qualify for your cyber insurance and something happens, there's already going to be a I'll call it a copay, but essentially it's a shared risk. But we are seeing more requirements come from the insurance side. And they haven't been certainly super specific, but we are still seeing requirements. 

Jenay Robert

Yeah, and imagine your financial institution as a higher ed institution. What if your financial institution then starts requiring you have to show that you're doing these types of trainings and you're protecting data in this way because they share the burden as well if you're compromised and it hits you in a financial way, then your financial institution carries more risk. So I could see some of these partners that you don't think about on a day-to-day basis starting to implement some requirements. 

Otherwise, we're going to charge you more for transactions that happen on your campus or whatever it is that they can leverage. 

Ben Bongers

Yeah, it's interesting to think about the external factors that could impact and influence cybersecurity and privacy moving forward and strengthening almost over the next ten years. I'm curious, you know, for folks listening and tuning into this, they may not be thinking about those external, you know, huge systemic, larger systems and how they might impact. They might just be thinking about, well, I work as a director or a specialist. So what could we maybe suggest as potential actionable points for them tomorrow? As they're trying to read through this and think through this Horizon Report's really great, what might be my next step? What do you think? 

Nicole Muscanell

That's a great question, but the immediately tomorrow part, think that makes that tricky. 

Ben Bongers

Yeah.

Ben Woelk

I I would say, and this is previous to the Verizon report coming out, but seeing all of the change being driven by generative AI, we put in place a generative AI safety and security advisory committee so that we were looking at it from a risk basis and trying to advise the higher governance strategy level about, so they'd be informed really about what they choose to do. 

I think when these reports come out and there's, think some, I think a good portion of people know about some of these issues, but I think it makes a difference when they're highlighted in a report like this. And it does give you something you can take and show someone, right? know, these, this team or this community of cybersecurity and privacy professionals has indicated that we need to pay attention to this. I think we should look at it. 

Ben Woelk

then I think the issue that with, we're, that people run into is some of it's a staffing thing. Some of it's a money thing. Some of it is how can I possibly do something now and more proactive when I'm doing everything I can to keep the doors open, you know, and the lights on and everything. So I think it's with, on the cybersecurity side, I can speak to it. It's always a balance between what you can accomplish strategically and what you have to react to. But with things you have to react to, the mantra has always been, don't waste a crisis. In terms of getting the things that you need, I think a report like this helps in terms of saying, hey, this is something we need to start paying attention to. Let's get a group studying it at the least. 

Jenay Robert

Yeah, I bet I'm kind of plus one on that. And really that question of what do I do tomorrow depends a lot on where you sit in the institution or if you're even at an institution. But let's just say for now, where you sit in the institution. If you're a frontline worker, you're not leading a team or leading strategy, what do you do? And I think something that comes out from a lot of, for example, Horizon Action Plans, where we try to translate these reports into action almost always our panelists tell us really the first step is educating yourself as an individual. Broaden sort of what's coming in on a daily basis, whether that's you have a LinkedIn network or you have community groups at Educause that you're a member of, whatever it is for you, expand that a little bit and try to include a little bit more input from security and privacy because to Ben's point from the beginning of this chat, these things change so rapidly. It's not that we can say, take this class or learn about this topic and you'll be good. It's really more about continually developing that knowledge and having sort of that growth mindset. So that's the sort of action that I would recommend for folks kind of in those frontline roles at the institution. I would say for individuals who are leading teams, maybe departments have more strategic vision or responsibility. One thing I really love about the Horizon reports is that we give exemplars, throughout, and maybe ghosts just go through and identify some of those programs or initiatives that really inspire you. And then reach out to those colleagues and ask them, how did you do this? What did you do? Can we, can we talk about it? and again, not picking on Ben, but that was another thing Ben talked about, right? That, that being able to engage directly with colleagues has been so helpful. 

So reach out, like why not? Those are the two things that I would say would be great things you can do this week. 

Nichole Arbino

Yeah, my thought goes along with Janay's also. So I'm a big believer that change happens through relationships. So whether that's relationships within community groups at EDUCAUSE or relationships with your senior level staff or even like relationships across campus of like, if I click on that phishing link, I'm going to make Ben's job harder. So I'm not going to click on it. I'm going really careful. you know, relationships with student workers who then tell their friends, be careful what you're clicking on and hey, that job posting about administrative work from home is not real. 

And so those relationships that we create across organizations at other institutions through EDUCAUSE, wherever, are what's going to help us make more progress more quickly. 

Nicole Muscanell

I agree with everything. So I don't want to keep reiterating the same points, but I would say also just keep up with some of our other products that we have coming out at EDUCAUSE that can take a, or can help to answer some questions in these areas. So just for example, we have workforce reports and we're going to have a series of 2025 workforce studies that come out that look at, for example, we're doing one specifically on cybersecurity and privacy and keeping up with something like that can help institutions understand how they might actually better address some of the workforce gaps and issues that they're seeing, which are certainly apparent in some of the trends that we see this year in our Horizon Report. So things like that and like Janay said, definitely check out our key technologies and practices. And you can see universities in action and what they're already doing. Very specific examples for how they're actually doing things like, for example, empowering users on their campuses to take action and play an active role in their own data protection. 

Jenay Robert

Point to end on I feel like. Stay tuned for more cool resources coming out. 

Nicole Muscanell

Me too. Yeah, read all of our stuff. Just read all of it. 

Jenay Robert

Same bat time, same bat channel. You'll catch us next time.