COVID-19 Cyber Risk: What Should Trustees and Administrators Do?

While university administrators scramble to decrease costs and increase revenues, the forced move to online learning has substantially heightened cyber risk. Higher education already carries more cyber risk than most other sectors. Almost all of their internal systems are online, connected to networks that are challenging to control given the ad hoc and unpredictable support required by research projects and the autonomy given to professors who bring in large research grants.

For all but the largest schools, competition for tight budgets means that cybersecurity hasn’t become as high a priority as it deserves. Most smaller schools lack the resources for a dedicated security officer. Breaches are common in higher education, and even small liberal arts schools have been subjected to sophisticated attacks.

For example, in March 2019, the Washington Post reported that “hackers breached the system that stores applicant information for Oberlin College in Ohio, Grinnell College in Iowa, and Hamilton College in New York and emailed applicants…. For a fee, the sender promised access to confidential information in the applicant’s file, including comments from admissions officers and a tentative decision. The emails demanded thousands of dollars in ransom from prospective students for personal information the hackers claimed to have stolen.”

We asked George Tsantes III, a trustee of Virginia Wesleyan University, How can colleges and universities bring themselves into the 21^st century in terms of cyber maturity, cyber resilience, and do so affordably? As both a trustee and a bona fide cyber expert Tsantes understands both the massive cyber risk that universities face and their challenges in addressing it.

“Much like any business, universities must inventory assets and prioritize their cybersecurity efforts to protect the most important and critical assets,” he says.  “Obvious assets include payment information, personally identifiable information (PII), and investment accounts.  Less obvious assets include sensitive research, university leadership email accounts, security cameras, and other information valuable to threat actors.” As other cyber experts continually stress, taking some basic steps can mitigate a considerable portion of the risk.

When asked about the approach that administrators should take, he says, “Leadership must understand their university’s cybersecurity posture both in absolute terms as well as relative to their peer group.” He stresses the importance of evaluating cyber resilience against the Cybersecurity Framework (CSF) from the National Institute of Standards and Technology, which was developed by 3,000 experts from academia, business, and government.

“NIST CSF provides an excellent structure for understanding an organization’s cybersecurity posture and maturity,” he says.  “With an automated version of CSF like that provided by Cybernance, for example, not only can a university understand its absolute cybersecurity posture, but it can measure its relative score with peer institutions of similar size and scope.”

Most trustees don’t have a background in cybersecurity. While they can’t be expected to become technical experts, their responsibility for minimizing risk to the institution is significant, so they must become vigilant about how cyber risk is being handled.

We asked Tsantes what trustees and administrators need to know to guide their institution toward better cyber resilience. He proposed three key questions they should ask:

1. Are we protecting critical assets based or their value—that is, the damage it will cause if the asset is compromised? With their limited resources, colleges and universities must identify critical data assets whose loss would severely impact operations, then allocate money and effort to protect them in advance of a breach.
2. Are we making new mistakes or repeating the same mistakes? Cybersecurity issues are inevitable so it’s vital for a cyber-mature organization to plan for addressing each incident by putting measures in place so that it’s not repeated.
3. Are we identifying cybersecurity issues as early as possible?  Cyberattacks will happen.  By identifying them early, the institution constrains the resulting damages, including reputational damage as well as financial and data losses.

Trustees and administrators are very aware of the heightened cyber risk posed by recent moves to online learning, and they have many questions about the measures being undertaken by their institutions. Automating a critical framework like CSF can assure them that a comprehensive view of risk is being considered, and that it provides an effective vehicle for shared communication.

Related Resources

• Cybersecurity Compliance Trends in a Post-Pandemic World (Forbes)
• The Nightmare Colleges Face This Fall (The Atlantic)
• The Great Recession Was Bad for Higher Education. Coronavirus Could Be Worse. (The Chronicle of Higher Education)