Bill Balint, CIO, Indiana University of Pennsylvania
Higher education IT is unique when compared to a typical corporate setting because our objective is not to limit actions taken by users based upon strict business interests. Instead, the objective of higher education IT is to enable users to leverage IT resources in response to their interests – especially teaching, learning, academic research and other scholarly activity – in a safe manner that adheres to all lawful standards while also respecting fellow users. As a result, considerations for providing a secured space for these activities should be an early and frequent discussion as changes are made to an institution’s IT landscape.
On the Education Security Front
Enhancing the security posture of an institution can be tricky while also attempting to enable as much IT activity as possible. Our institution has embarked on four new security-related initiatives intended to succeed without limiting the use of our systems.
First, the institution recently moved away from traditional passwords and instead to a passphrase concept. This ends the need for users being required to rely on combinations of special characters, numbers, and upper-case letters in favor of a longer combination of words. There is hope of adding a two-factor authentication concept to this in the future. The institution has also become more aggressive in mitigating sensitive data. If a user account is breached, the intent is to diminish the sensitive data that could be exposed. Finally, the institution has implemented automated scanning of email embedded links and attachments aimed at helping with anti-phishing scheme objectives.
"The gap between the increasing sophistication of these attacks and the ability of the average user to combat them continues to grow"
But these are just the latest in the long-standing effort to enhance the IT security posture of the institution, following major investments in a combination of security-related tools and services coupled with policy and education of users about IT security risks.
A major concern is the increasing complexity of attacks being seen. The increased use of bots, for example, can lead to more breaches of accounts from users leveraging the network to learn, conduct research or simply do their job. The gap between the increasing sophistication of these attacks and the ability of the average user to combat them continues to grow. A second concern is the potential for increased damage caused by successful attacks. A denial-of-service attack where the attackers try to prevent valid users from accessing an institution’s website, for example, can be devastating if it occurs during a registration period.
Another major concern is the sustainability of IT security resources and investments given the fiscal and staffing challenges faced by many of our institutions. It can be difficult to make the business case for added staff, products or services in IT security when many core business aspects of our institutions also have real needs.
Combating the Insider Threat
Our IT organization works tirelessly to promote safe computing practices at our institution via an on-going, multifaceted IT security awareness program. As part of that program, the institution works hard in the policy area to govern and educate users that insider attacks are not going to be tolerated.
But inadvertent threats can still occur when either a device or user account is compromised. The insider may not be the bad actor in these cases. The key is to not overlook these instances and to remain diligent and to keep safeguards in place for attacks originating both from internal and external sources.
Our next step is to re-affirm with our executive leadership our commitment to investing significant resources and time into IT security-related hardware, software, services and user education as well as the operations to execute all of it. From there, we will only commit to investments that are sustainable. We cannot overreact to every trend or fad and then find ourselves without the resources to retain that investment in 2-3 years.
Within that constraint we invest in items that can best help limit the number of security incidents, enhance our response to any potential incidents and to limit the damage resulting from an incident. These will lead to resource commitments across the spectrum of policy, awareness, third-party services, software products, security staff education, etc.
Piece of Advice
I believe the first step to creating an enhanced IT security posture at an institution is for institutional leadership to understand that this is not an IT project, but instead an on-going operational program. As long as students are recruited, admitted, registered, billed, given grades and graduated, these functions must adhere to safe computing practices – which includes major investments in hardware, software, education and services.
Once leadership is on board, getting the word out about following safe computing practices is a very inexpensive way to get started. As the same time, seek investments and resource commitments that are sustainable over time. It can be very risky to end an investment in an IT security function, so adding investment should be made with the idea that it is more-or-less permanent until the threat it is intended to counter is no longer a threat.