Over the last few years, the Internet of Things (IoT) has morphed from a futuristic concept to a real-world framework. Today, approximately 7.4 billion devices are connected through the IoT, and the number swells by about 1,000 per minute, or 1.5 million each day. By 2020, estimates for connected devices range as high as 75 billion.
These connected devices offer many advantages. They automate activities, simplify tasks, and deliver insights that would have been unimaginable in the past. Yet, they also present vexing security challenges. The lack of security in today’s connected environment is profound, which translates into massive vulnerabilities.
On May 15, 2017, the Albuquerque Journal reported a server breach at the University of New Mexico. It affected 23,000 people, including donors, annuitants, foundation employees, and vendors. A memorandum sent to trustees of the foundation almost one month later stated that an “unauthorized individual” had gained unauthorized access to a file server. The intruder potentially harvested contact information, donation amounts, check routing numbers, social security data, and birth dates.
Stories like this are all too common. In fact, the number of U.S. data breaches reached a record 1,093 in 2016, according to the Identity Theft Resource Center (ITRC) and CyberScout (formerly IDT911). Although the University of New Mexico intruders didn’t gain access to the school’s general database of more than 300,000 alumni, the incident—and the 30-day lag between discovery and notification—illustrates some of the disturbing and potentially costly issues that organizations face.
Getting Schooled on Risk
The massive Target Corp. breach—and resulting federal court rulings—made it clear that when negligence is determinable, hundreds of millions of dollars in damages are at stake. It’s vital for education executives to understand and address all the parties and the risks:
Students. A 2013 case involving Auburn University and the Vermont Attorney General illustrates the dangers and risks of today’s environment. In this case, two records were exposed by the school, but it took 119 days to notify the affected parties (Vermont law requires notification to the state’s attorney general within 14 days and notification to consumers within 45 days). A settlement recognized that non-adherence to Vermont’s breach notification law could result in liquidated penalties as high as $10,000 per violation, which should be interpreted as each student.
Faculty. The personally identifiable information (PII) of faculty—particularly those involved in key research areas, such as biological agents, artificial intelligence, and defense technologies—could have dire consequences in the wrong hands. In some cases, this information could also spawn lawsuits and criminal prosecution.
Research and Grants. The leakage of intellectual property could extend beyond the boundaries of typical negligence. It could involve government, businesses, and other third parties. It could also extend across international borders. Thus, the legal ramifications of a breach could be significant both in financial publicity terms.
Alumni. Alumni often contribute to a university financially and in many other ways. A breach erodes trust and could result in diminished donations or participation. But the problems don’t stop there—a breach of PII data for alumni could threaten these individuals and spawn legal action.
Making the Grade
Higher education institutions also face specific challenges related to cybersecurity and IoT. These include:
Cloud Security: Although cloud providers often deliver better security than organizations can muster on their own—and they eliminate the issue of patching and firmware updates—there are still risks associated with clouds, including data access and data in transit. It’s important to know what protections a cloud or managed services provider offers.
Performance: A security framework must be flexible enough to adapt to rapidly changing data platforms and today’s highly virtualized environments. As universities consolidate data centers and databases, these issues become magnified.
Data: The University of New Mexico intrusion isn’t an anomaly. In recent years, cyber-criminals have targeted higher education institutions with growing frequency. They may be looking for research data, intellectual property, payment data, social security numbers, and student and faculty information. The common denominator is that universities contain a treasure trove of PII, including for affluent alumni.
Access Controls: An organization must ensure that students, visitors, faculty, administrators, vendors, and research partners have access to the applications and data they require—but nothing more.
IoT Devices: It’s critical to identify all connected devices on the network and ensure that they are registered. These include smartphones, tablets, computers, security cameras, and various other devices that may exist. Some of these devices, such as student video cameras and media devices, also represent risk. In addition, it’s vital that your security teams know what security the vendor has built into the device(s) and how it addresses firmware and software updates.
Distributed Environments: Policies and protocols are a make-or-break proposition. But it’s also vital to recognize that populations come and go on a campus, and people require access from home and on the road. Consequently, security policies must take into account IP addresses, user locations, and other factors.
Here are five suggestions for you make to your cybersecurity professionals to better protect the school’s data and resources:
Segment the “Crown Jewels.” Isolate sensitive and critical data from the general network, and consider air gapping, where secure and unsecure systems are physically isolated. Adopt a zero-trust approach by allowing only a limited and identifiable set of users to access content. Moreover, identify and document privileges, including which applications different groups can access—but block everything else. Finally, prevent unfiltered ingress and avoid data exfiltration.
Use multifactor authentication. Basic passwords are no longer adequate for authentication. In all instances, rely on multifactor authentication to greatly reduce the risk of a breach.
Advanced endpoint protection. These systems help block zero-day exploits, polymorphous malware, and risks presented by laptops and other connected devices.
Use threat intelligence. These systems—which allow organizations to anonymously share data about threats—help universities and others track evolving cybersecurity risks.
Adopt next-gen security. A multilayered approach to cybersecurity is critical. However, traditional methods such as firewalls and intrusion detection are no longer enough. It’s important to use automation tools, blockchain, and advanced artificial intelligence (AI) cybersecurity systems, and to track blockchain use cases.
A Degree of Security
Universities don’t get a hall pass for today’s cybersecurity challenges. In fact, they may represent an underexploited group. The University of New Mexico breach demonstrates that the risks are real and the moral and legal responsibilities are significant. Institutions must deploy advanced cybersecurity or turn to a managed services provider to tackle today’s risks.
The thought of a university president sending out personal breach notices to tens of thousands of donors should strike fear in the heart and soul of every institution.
To learn more, listen to this podcast for additional insights on keeping higher education institutions secure.