Security breaches are a real threat to every industry these days – just look at the news headlines. And higher education institutions are an especially tempting target for such attacks.
It’s imperative for schools to step up their security activities to ensure their data is protected. A good place to start is with a security risk assessment, which helps schools understand the state of their security and identify any weak points that need to be addressed.
We spoke Mark Relf, Manager of Information Security at Collegis Education, to learn more. Keep reading to hear what he has to say about security risk assessments.
Schools aren’t doing enough for data security
Based on information from the Educause 2019 Information Security Almanac, 71 percent of institutions track information security metrics and 76 percent have conducted an cybersecurity risk assessment.
While these numbers may sound promising, these statistics don’t reveal what, if anything, schools are doing with that information.
For example, they don’t reveal how many are performing quarterly user reviews, training and testing student/faculty/staff on simulated email phishing attacks or executing security awareness campaigns. These are a few examples of sustained security risk prevention initiatives critical to protecting a school’s data.
Why higher ed security is so critical
With the massive amount of sensitive student data schools accumulate, it’s imperative for higher education institutions to know their security risk. In fact, data breaches can translate into direct revenue loss for schools via enrollment and insurance premiums.
The most prominent risk is reputation loss, which for most schools also translates into enrollment loss in today’s digital age.Mark Relf
Day-to-day operational technologies institutions rely on are also at risk. A security breach could halt all connectivity tools that schools rely on, from internet access and Wi-Fi to email and instant messaging. This type of disruption would make it difficult to even hold classes.
And when a school’s security has been compromised, it’s not always obvious, Relf points out. “Many times, the university is made aware from an outside entity as the internal teams were not aware that anything even happened.”
To avoid dealing with undesirable repercussions, it’s best to be proactive about ensuring your security is up to speed. You can assess your school by conducting a security risk profile.
How to conduct a cybersecurity risk assessment
Working with a third party can help ensure an authentic and thorough security risk assessment. Because of the various tools, users and environments involved (not to mention the people, processes and technology at each school) security risk assessments differ from case to case.
Here is what the security risk assessment process looks like with Collegis Education:
- The assessment is a collaborative effort between the university staff and the Collegis team. The university team is asked to provide pertinent information throughout the assessment.
- The Collegis team assembles the information and produces the deliverable documents.
- An on-site meeting with the university takes place to shore up any gaps in the information and to share a preliminary review of the report.
- The Collegis team finalizes the report and delivers it back to the university. Components of the report includes important findings, the current state of the school’s security, a risk register and a security roadmap.
Depending on the terms of the agreement, Collegis may return to the university to review progress and reassess areas of the roadmap and risk register.
What can you learn from a cybersecurity risk assessment?
There’s a lot of information you can glean from a security risk assessment. The report covers many components that fall under three key areas: technology, processes and applications.
- Access management
- Password policy
- Patching schedules
- Security appliances
- Disaster recovery
- Data loss prevention
- Security policies
- Frequency of review
- Accuracy of policies
- Separation of duties
- On/off boarding
- Incident response
- Third party contract review and approval
All of these aspects are analyzed within the assessment. Once a security risk assessment is complete, the school receives a report on the findings, highlighting areas of improvement and recommendations.
“These risk assessment summary reports unveil those areas within the people, processes or technologies that need extra attention and currently provide an attack vector for malicious activities,” Relf explains.
All together, the information within the reports helps schools identify gaps in security so they can address their weak areas in need of improvement.
“The assessment gives us a clear picture of the state of the security profile of an institution,” Relf adds. “The information in it is a key tool for an institution to understand its security posture and focuses on addressing potential severe gaps in its security infrastructure.”
The initial information in the report helps schools understand where they currently stand in terms of security. From there, security experts from Collegis lay out actionable steps to help alleviate security risks and strengthen the institution’s security measures.
“The security roadmap will give an idea of the steps required to get the institution started on a path to security maturity,” Relf explains. “The risk register then tells us the amount of work that would need to be completed and defines the scope of work.”
Taking action after the security risk assessment
The cybersecurity risk assessment report is just the start. It helps schools acknowledge and understand their current security risks. But it’s up to schools to pursue solutions and maintain them over time.
“It is important to understand that cybersecurity is not a one-and-done solution. It’s a culture, and periodically needs reassessment and evaluation,” Relf says. “The same can be said for the other risk items from an assessment.”
For example, let’s say an assessment informs a school that their anti-malware is not installed on all workstations. To address that security weakness, the school installs anti-malware on all workstations. But it doesn’t stop there.
In this scenario, schools must also consider:
- Is the anti-malware updated?
- How often is it updated?
- Can users disable the tool?
- How does this anti-malware rank in comparison to the others in the industry?
Knowing the answers to these questions and staying vigilant is all a part of the culture of cybersecurity – an ongoing responsibility of the entire institution.
Security is not the responsibility of one person, or a team of people, but it is the responsibility of everyone who touches the technology the school has made available.Mark Relf
Don’t let hackers breach your institution – reduce your cybersecurity risks
Just because you can’t see a physical issue, doesn’t mean a dangerous security risk isn’t lurking behind the scenes. And you can’t fix a problem you’re not aware of.
Facilitating a security risk assessment will allow you to get a pulse on the state of your institution’s security and prioritize which areas should be addressed first.
Download our Higher Ed Cybersecurity Landscape ebook to understand how and why cybercriminals are focused on colleges and universities, as well as actions your institution can take to prevent attacks and safeguard data.