Questions Boards Should Be Asking about Cybersecurity

By Jennifer Sparrow, EdD, Amazon Web Services, an AGB sponsor September 8, 2022 Blog Post

Opinions expressed in AGB blogs are those of the authors and not necessarily those of the institutions that employ them or of AGB.

In the annual EDUCAUSE report that examines the top 10 information technology (IT) issues for higher education, information security and cybersecurity for college and university resources ranked at or near the top of the list. Both Inside Higher Ed and Forbes reported that cyberattacks against colleges and universities continue to increase. In December 2021, a ransomware attack against Lincoln College was so significant that the institution was unable to resume operations and had to close. Colleges and universities are seeing cyber insurance rates increase, sometimes 100 percent year over year. Due to the high cost of remediation and recovery, some insurers are simply not writing cybersecurity policies.

This ongoing and increasing threat is most likely top of mind for university chief information officers (CIOs) and chief information security officers (CISOs), but as a board member, are you asking the right questions of CIOs, CISOs, and university leadership to ensure you are aware of and mitigating risk and adequately preparing for disaster recovery should a cyberattack occur? Questions you might want to discuss with university leadership or provide to your risk and audit committees for a deep dive should focus on technologies, people, and policies. These questions include:

Identity access management: How is the university handling identity and access management credentials? Is there a modern system in place that can rapidly and accurately provision and deprovision accounts for university resources? Asked a little differently, do the right people have the right access to the right resources? A follow-up question might include, How is the university auditing this system and the associated process, and do the policies related to access management need to be updated to address emerging cyber issues? Is two-factor authentication in place, ensuring that key university technologies are protected?

Systems inventories: How is the university ensuring an accurate inventory of systems and what work is being done to reduce the attack surface by eliminating or combining redundant systems? Are multiple systems doing the functions? Once there is an accurate inventory, what work is being done to ensure that computers are updated with the latest security patches?

Compliance and government regulations: Who is monitoring and addressing the latest compliance and government regulations, especially those that focus on student and research data? Are the university’s policies aligned with changing regulatory requirements?

Disaster recovery: Does the university have comprehensive and up-to-date disaster recovery planning? If a cyberattack occurred, how long would it take for the university to restore the operations of key systems? Has the university conducted tabletop exercises to simulate a disaster recovery scenario?

Education: How does the university inform members of the campus community about information security and their role in helping to address ongoing cybersecurity threats? Are there opportunities to bring in external vendors to help with identifying and educating the members of the campus community on their specific risks? How is the IT workforce being upskilled to address the rapidly changing landscape of cybersecurity?

As colleges and universities continue to address cybersecurity risks, they are also facing unprecedented shortages in available IT security talent. (ISC)2, the leading cybersecurity professional organization, reported more than 2.7 million unfilled IT security jobs in 2021. Colleges and universities can leverage the expertise of their vendor partners to help address some of these challenges. Additionally, the mix of on-campus and cloud computing resources can provide opportunities to address disaster recovery, education, government regulations, and system inventories. Amazon Web Services (AWS) is working with colleges and universities across the globe to help identify and mitigate risks, secure resources and prepare for disaster recovery, and provide education and training for the IT workforce. Please visit the higher education resources page to learn more about how AWS is working with colleges and universities to modernize and secure the academy, enrich the student experience, turn data into wisdom, and empower and accelerate researchers.

Jennifer Sparrow, EdD, is senior manager, higher education strategic accounts, Amazon Web Services, an AGB event sponsor.

With Thanks to AGB Sponsor: Amazon Web Services

The owner of this website has made a commitment to accessibility and inclusion, please report any problems that you encounter using the contact form on this website. This site uses the WP ADA Compliance Check plugin to enhance accessibility.