College campuses are data mines, ripe with research results, intellectual property and students' personal information. While tasked with protecting that information, they also must support the free and open sharing of knowledge and ideas — imperatives that often work at odds.
Data protection, specifically, has long posed a challenge to campus information technology professionals. And that challenge is only getting greater as technology becomes more sophisticated and the number and type of internet-enabled devices on campus grows.
To learn more about how colleges and universities can defend against cyberthreats, we spoke with Russell Schrader, executive director of the National Cyber Security Alliance, a nonprofit public-private partnership that promotes awareness around cybersecurity and privacy.
This interview has been edited and condensed for brevity and clarity.
EDUCATION DIVE: What do you think is the biggest cybersecurity challenge facing colleges and universities?
RUSSELL SCHRADER: The biggest challenge is knowing what you have and who is accessing it — data integrity. The idea is that when you put data in, it stays exactly the same while you're storing it, you know who's taking it out, and it's exactly the same way it was before [when they're done]. It's not just about access to data and dissemination of data, it's what's happening to that data at rest.
A lot of colleges don't have up-to-date, sophisticated data-management systems and hardware and software to do that, so they're prone to attacks not only to exfiltrate data but also to change data. It's certainly not unknown for institutions that pride themselves on having open and accessible systems to also pride themselves on educating an incredibly sophisticated group of students who are well-versed in cybersecurity and in coding.
So, students who know how to hack their grades?
SCHRADER: I don't know if they know how but I think some of them may be tempted to try to figure it out as part of a challenge. There are cybercriminals, state actors and terrorist groups, but there are also people who do it for bragging rights or for the challenge that's posed to them.
Is the threat bigger from on campus than from off campus?
SCHRADER: There are all kinds of threats and you really can't differentiate them. The answers on how to deal with those threats are very similar. You need to have a very secure system with access control, encryption both at rest and in flight, and logs that show who has been in the data and what their authorizations and credentials are. You also need to keep your systems up to date and have a locked down login.
More colleges are looking at multifactor authentication (MFA). How does it work?
SCHRADER: Authentication is something you know, something you have and something you are. Something you know could be a password. Something you have could be a cellphone that you can send a separate [verification] code to. And something you are is a biometric thing, like putting your finger on your phone to unlock it. With two-factor authentication, you mix and match something you have, something you know and something that you are.
How would that work on a campus?
SCHRADER: On college campuses, people may lose a student ID, so the 'something you have' is gone. And 'something you are' can be expensive to put in, such as iris or thumbprint scanners. Part of this process is balancing the cost and what you're trying to protect. With MFA you use something like a student ID combined with a code that's sent to a student's phone. When you have a lot of people doing a lot of sophisticated work in one place, such as on a college campus, MFA becomes even more important when losing or stealing a student ID is a possibility. And with resident students, they're with you 24/7 and their online and offline lives are blurred. When you have MFA, it's very easy to authenticate a student for whatever facility, data or system they are accessing.
What are some of the biggest risk factors on college campuses that make the institutions vulnerable to cyberattacks?
SCHRADER: Failure to keep their systems up to date. Crooks are out there always looking for new attacks. Operating system providers push patches and updates but they can only get to your front door. You have to put them in. It's not sexy to sit around and update your operating system, but it's the best way to make sure you're not opening your institution up to attacks that have already been solved for.
It's also important to delete things you no longer need, whether it's data, software or other programs. Universities have traditionally collected massive amounts of data. I remember where for years your social security number was your student ID. If you don't need the data, get rid of the data. Keep a clean machine and lock down your login by using MFA and other access controls.
Students, faculty and staff often have multiple devices. What are some ways to get them to buy into cybersecurity best practices?
SCHRADER: Part of it is just education and reminders of what the threats are and what they need to do. For example, weekly newsletters or campus-wide emails would be terrific, or if you made a contest out of it by giving people points for spotting a phishing message and recording it.
It comes down to having passcodes and passwords that are strong, using two-factor authentication for really important information, and keeping operating systems up to date. For example, iOS 12 came out a couple of weeks ago, so reminding students with Apple devices that they need to download the new operating system in order to take advantage of new security features if those are included in the release.
What's one thing you wish college students did differently with regard to cybersecurity?
SCHRADER: I wish they would call a parent. Students are very cyber savvy. It would be great if they could share some of that information with the prior generation who may not be as cyber savvy and to talk about the different kinds of ways the internet is changing and improving their lives. On the flip side, parents would have a chance to make sure that their kids are also dealing with things in a safe way in terms of updating and having stronger passwords. That kind of intergenerational communication would go a long way to help them both.