IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Educause '22: Cybersecurity Tips for Tight Budgets

College and university IT departments are busier than ever accommodating the shift to hybrid learning models, putting pressure on CISOs and their staff to strengthen cybersecurity without ballooning costs.

cyber security 1805632 1280.png
In today’s increasingly digitized higher ed landscape, as IT departments are tasked with both managing and securing growing networks with new vulnerabilities, some higher ed IT leaders say their departments are understaffed to fight an uphill battle against cyber criminals and ransomware that have cost U.S. higher ed institutions billions.

Zachary Meyers
Courtesy: Educause
Noting the obstacles, experts from the Virginia-based IT company BreakPoint Labs compiled a list of budget-friendly ways for colleges and universities to improve their cybersecurity postures, which the company's Director of Operations Zachary Meyers presented Nov. 2 as part of the Educause Annual Conference.

Among the proposed initiatives and solutions were locking down external login portals, identifying and addressing cloud security flaws, implementing phishing training, updating network share permissions and strengthening password security.

“Every year, academic institutions and educational programs often face a budget or constraint with a budget … and cybersecurity can always succumb to operations,” Meyers said, noting that the company has worked with organizations recently to identify and address IT security deficiencies like these.

“What we like to focus on is keeping higher ed out of the headlines. They’re a target today that’s commonly targeted, mostly with ransomware campaigns, hacktivists going on the Internet,” he said. “Sometimes it’s highly targeted … but a lot of times we’re just seeing hacktivists do this or different groups that have financial incentives or gains.”

Meyers' panel noted that as universities have become more reliant on new systems to facilitate remote and hybrid learning, it has become increasingly important for them to assess what the “Internet knows” about their organization. He said IT departments need to know their "external footprint" and ask themselves, “Do you know what Internet-facing systems and devices belong to your institution?”

“It’s important to not only know what your IP space is that’s assigned to your higher education institution, but what web services are available to the general public,” Meyers said, adding that organizations should flag unusual or excessive external login and authentication attempts. “We’ve seen a lot, across higher ed, of automated lockout policies ... There are ways attackers can circumvent those controls and still ultimately get to the prize of compromising an account via password spray.”

The panel noted that many institutions have moved all their on-prem systems to the cloud or a hybrid model, adding that network and system administrators of traditional on-prem networks often have little to no training with cloud systems. Aside from professional development solutions, Meyers said, IT systems can use tools such as open source multicloud security auditing functions, among others.

“Often times, we’ve seen traditional network administrators and system owners that deal with on-prem having to learn how to develop and deploy cloud infrastructure, with little to no training,” he said. “And with that, security flaws can arise.”

While there is a plethora of issues and vulnerabilities for IT administrators to look out for, Meyers said, many can be addressed and even avoided altogether through creating a culture of "cyber hygiene" throughout the institution.

The panel also noted the need to enhance policies around phishing training across campus and host sandbox IT security exercises for staff, among other solutions.

“At the end of the day, the end users — are they the weakest link? Not all of the time, but the majority of the time,” Meyers said.
Brandon Paykamian is a staff writer for Government Technology. He has a bachelor's degree in journalism from East Tennessee State University and years of experience as a multimedia reporter, mainly focusing on public education and higher ed.