Educause '22: Cybersecurity Tips for Tight Budgets

In today’s increasingly digitized higher ed landscape, as IT departments are tasked with both managing and securing growing networks with new vulnerabilities, some higher ed IT leaders say their departments are understaffed to fight an uphill battle against cyber criminals and ransomware that have cost U.S. higher ed institutions billions.

Noting the obstacles, experts from the Virginia-based IT company BreakPoint Labs compiled a list of budget-friendly ways for colleges and universities to improve their cybersecurity postures, which the company's Director of Operations Zachary Meyers presented Nov. 2 as part of the Educause Annual Conference.

Among the proposed initiatives and solutions were locking down external login portals, identifying and addressing cloud security flaws, implementing phishing training, updating network share permissions and strengthening password security.

“Every year, academic institutions and educational programs often face a budget or constraint with a budget … and cybersecurity can always succumb to operations,” Meyers said, noting that the company has worked with organizations recently to identify and address IT security deficiencies like these.

“What we like to focus on is keeping higher ed out of the headlines. They’re a target today that’s commonly targeted, mostly with ransomware campaigns, hacktivists going on the Internet,” he said. “Sometimes it’s highly targeted … but a lot of times we’re just seeing hacktivists do this or different groups that have financial incentives or gains.”

Meyers' panel noted that as universities have become more reliant on new systems to facilitate remote and hybrid learning, it has become increasingly important for them to assess what the “Internet knows” about their organization. He said IT departments need to know their "external footprint" and ask themselves, “Do you know what Internet-facing systems and devices belong to your institution?”

“It’s important to not only know what your IP space is that’s assigned to your higher education institution, but what web services are available to the general public,” Meyers said, adding that organizations should flag unusual or excessive external login and authentication attempts. “We’ve seen a lot, across higher ed, of automated lockout policies ... There are ways attackers can circumvent those controls and still ultimately get to the prize of compromising an account via password spray.”

The panel noted that many institutions have moved all their on-prem systems to the cloud or a hybrid model, adding that network and system administrators of traditional on-prem networks often have little to no training with cloud systems. Aside from professional development solutions, Meyers said, IT systems can use tools such as open source multicloud security auditing functions, among others.

“Often times, we’ve seen traditional network administrators and system owners that deal with on-prem having to learn how to develop and deploy cloud infrastructure, with little to no training,” he said. “And with that, security flaws can arise.”

While there is a plethora of issues and vulnerabilities for IT administrators to look out for, Meyers said, many can be addressed and even avoided altogether through creating a culture of "cyber hygiene" throughout the institution.

The panel also noted the need to enhance policies around phishing training across campus and host sandbox IT security exercises for staff, among other solutions.

“At the end of the day, the end users — are they the weakest link? Not all of the time, but the majority of the time,” Meyers said.