I don’t really need to belabor the point that securing educational institutions is both incredibly challenging and crucially important; it’s a bit like describing the importance of water to a fish. Schools and universities are here for the primary purpose of education, but they often have groups devoted to healthcare, finance, retail, and research, among the other usual administrative departments like human resources and accounting.
And with that breadth of service comes an alphabet soup of security compliance regulations that you need to be aware of; like HIPAA, CIPA, COPPA, FERPA and PPRA. And within higher education, there is also the expectation of an openness of information within and throughout the organization. How on earth can colleges and universities be expected both to fiercely guard and freely share information?
Information and Assets in Context
If we think of security and privacy in the context of our daily lives, there are things each of us consider private (including both property and information) and would take steps to make sure they’re shared with a limited number of people, such as close family members.
And then there are other things that we would give away freely to anyone who asked. Most of us don’t have to give this process a lot of thought, and the categorization happens automatically because our personal context is relatively stable.
When you have the interests of more than just a small group of people to consider, you will be bringing a myriad of different contexts into the equation. But there is a significant advantage in having a wealth of different people contributing their privacy contexts and their visibility into your environment, as it can help you root out the most persnickety corner cases.
3 Campus Security Musts for Summer Kick Off
1. Know what you have
As the recent WannaCryptor ransomware outbreak illustrated, the security chain is only as strong as its weakest link. It’s important to identify all of your assets, in terms of both data and physical machines.
It’s important to be thorough; attackers will not necessarily enter networks through obvious places, and it is equally important to include that one machine moldering in a back room that is running prehistoric versions of software, and that is nonetheless connected to the internet. Because school networks have such an itinerant population, this must be an ongoing task rather than a yearly chore.
Once you have established regular reporting of your assets, you can start identifying the risks associated with those assets. Performing ongoing risk assessment gives you a number of other benefits. Having a constantly evolving record of your assets improves reporting and tracking of security incidents and it can help you recognize suspicious actions more quickly.
In an industry where budget cuts can seem to be as certain as death and taxes, good records can also help justify the necessity of budget items, and help assure more appropriate levels of coverage with whatever money is allotted.
(Next page: Summer school security tips 2-3)
2. Create lists to reduce risk
Now that you’re aware of your assets and their relative risks, the next step is to mitigate those risks. There are certain things we should all know by now that we must be doing for every machine in our network: applying software updates in a timely fashion, making regular backups, encrypting sensitive data, using a reputable anti-malware program at the gateway and on endpoints, using firewalls and intrusion prevention software, and filtering email for unwanted or malicious content.
We should not stop with these basic techniques: by creating lists of systems and users that require varying levels of access we can reduce risk or mitigate damage. Inevitably, there will be machines on your network that must be handled with kid gloves, and there will be others that must be allowed a great degree of autonomy.
Likewise, some users may require wide-ranging access, while the needs of others may be more limited. While machines and users that require relatively unfettered access can create major security headaches, it’s possible to limit potential damage.
It’s important not to give any individual, system or part of your network any more access than is absolutely necessary to perform approved job functions. For example, you should carefully consider whether employees must have access to administrator-level access to their machines, or to areas of the network outside their own departments.
Some users will require different handling, depending on their role in your environment. Strong authentication and authorization can help you verify that users are who they say they are, and this identity can be checked against permission lists to determine what resources they are allowed to access.
Also, use more than simple usernames and passwords to verify your users’ identities, especially on machines with valuable or sensitive information. Two-factor authentication is now available on most online services, and can be easily added to your own login processes.
Finally, keep uncontrolled devices such as mobile devices or laptops brought by staff or students, and internet-connected “Smart” devices, in areas of your network that are unconnected to areas where sensitive data resides; e.g. payroll information, healthcare records, and research data. Keep the sensitive areas of the network segmented so that they are separate from each other, and an attacker cannot use a less-secured device in your environment to get to a more valuable area.
3. Gather support
Technological solutions can help mitigate some risks, but if you’re not addressing the way people interact with your network, your hard work may be all for naught.
Research shows that 52 percent of data breaches are the result of user error. If security methods cause too much hassle—if your users don’t understand what constitutes safe computing behavior or why it’s essential—they may thwart technological protections.
Security has gotten a bad reputation for being all about introducing impossible hurdles and of constantly looking over people’s shoulders. If you work with your users to see how they go about their daily tasks, you can tailor security measures to their needs so that those measures can enable users to safely do what they need to do. If done properly, it can even help users strengthen their privacy.
Once appropriate security measures are codified in an Acceptable Use Policy, you can start regularly training users about how to keep data and machines within the campus network secure. You wouldn’t explain the whole of geometry to a student once and then leave it at that. Likewise, it’s important to give security lessons to your users in digestible chunks and then build on important concepts over time (free resources exist).
Users are the eyes and ears of your network. By enlisting their help to distinguish between normal or anomalous behavior, and rewarding safer behavior, you can offer users more incentive to help improve your organization’s security. This, coupled with risk assessment and technological mitigation methods, can make a huge difference in your ability to fend off security disasters.