Security breaches are a real threat to every industry these days – just look at the news headlines. And higher education institutions are a tempting target for such attacks.
It’s imperative for schools to step up their security to ensure their data is protected. A good place to start is with a security risk profile, which helps schools understand the state of their security and identify any weak points that need to be addressed.
We spoke with Vince Battista, Senior Director of IT Solutions, and Mark Relf, Manager of Information Security at Collegis Education, to learn more. Keep reading to hear what they have to say about security risk profiles.
Schools aren’t doing enough for security
Based on information from the Educause 2019 Information Security Almanac, 71 percent of institutions track information security metrics and 76 percent have conducted an information security risk assessment.
While these numbers may sound promising, these statistics don’t reveal what, if anything, schools are doing with that information.
For example, they don’t reveal how many are performing quarterly user reviews, testing student/faculty/staff on simulated email phishing attacks, or executing security awareness campaigns. These are a few examples of sustained security initiatives critical to protecting a school’s data.
Why higher ed security is so critical
With the massive amount of sensitive student data schools accumulate, it’s imperative for higher education institutions to know their security risk. In fact, data breaches can translate into direct revenue loss for schools via enrollment.
“The most prominent risk is reputation loss, which for most schools also translates into enrollment loss in today’s digital age,” Relf explains.
Day-to-day operational technologies institutions rely on are also at risk. A security breach could halt all connectivity tools that schools rely on, from internet access and Wi-Fi to email and instant messaging. This type of disruption would make it difficult to even hold classes.
And when a school’s security has been compromised, it’s not always obvious, Battista points out. “Many times, the university is made aware from an outside entity as the internal teams were not aware that anything even happened.”
To avoid dealing with undesirable repercussions, it’s best to be proactive about ensuring your security is up to speed. You can assess your school by conducting a security risk profile.
How to conduct a security assessment
Working with a third party can help ensure an authentic and thorough assessment. Because of the various tools, users and environments involved (not to mention the people, processes and technology at each school) security risk assessments differ from case to case.
Here is what the security risk assessment process looks like with Collegis Education:
- The assessment is a collaborative effort between the university staff and the Collegis team. The university team is asked to provide pertinent information throughout the assessment.
- The Collegis team assembles the information and produces the deliverable documents.
- An on-site meeting with the university takes place to shore up any gaps in the information and to share a preliminary review of the report.
- The Collegis team finalizes the report and delivers it back to the university. Components of the report includes important findings, the current state of the school’s security, a risk register and a security roadmap.
Depending on the terms of the agreement, Collegis may return to the university to review progress and reassess areas of the roadmap and risk register.
What can you learn from a security risk profile?
There’s a lot of information you can glean from a security risk profile. The report covers many components that fall under three key areas: technology, processes and applications.
- Access management
- Password policy
- Patching schedules
- Security appliances
- Disaster recovery
- Data loss prevention
- Security policies
- Frequency of review
- Accuracy of policies
- Separation of duties
- On/off boarding
- Incident response
- Third party contract review and approval
All of these aspects are analyzed within the assessment. Once a security assessment is complete, the school receives a report on the findings, highlighting areas of improvement and recommendations.
“These risk profile summary reports unveil those areas within the people, processes or technologies that need extra attention and currently provide an attack vector for malicious activities,” Relf explains.
All together, the information within the reports helps schools identify gaps in security so they can address their weak areas in need of improvement.
“The assessment gives us a clear picture of the state of the security profile of an institution,” Battista adds. “The information in it is a key tool for an institution to understand its security posture and focuses on addressing potential severe gaps in its security infrastructure.”
The initial information in the report helps schools understand where they currently stand in terms of security. From there, security experts from Collegis lay out actionable steps to help alleviate security risks and strengthen the institution’s security measures.
“The security roadmap will give an idea of the steps required to get the institution started on a path to security maturity,” Battista explains. “The risk register then tells us the amount of work that would need to be completed and defines the scope of work.”
Taking action after the security assessment
The security risk assessment report is just the start. It helps schools acknowledge and understand their current security risks. But it’s up to schools to pursue solutions and maintain them over time.
“It is important to understand that cybersecurity is not a one-and-done solution. It’s a culture, and periodically needs reassessment and evaluation,” Relf says. “The same can be said for the other risk items from an assessment.”
For example, let’s say an assessment informs a school that their anti-malware is not installed on all workstations. To address that security weakness, the school installs anti-malware on all workstations. But it doesn’t stop there.
In this scenario, schools must also consider:
- Is the anti-malware updated?
- How often is it updated?
- Can users disable the tool?
- How does this anti-malware rank in comparison to the others in the industry?
Knowing the answers to these questions and staying vigilant is all a part of the culture of cybersecurity – an ongoing responsibility of the entire institution.
“Security is not the responsibility of one person, or a team of people, but it is the responsibility of everyone that touches the technology the school has made available,” Relf stresses.
Step up your school’s security
Just because you can’t see a physical issue, doesn’t mean a dangerous security risk isn’t lurking behind the scenes. And you can’t fix a problem you’re not aware of.
Enabling a security risk profile will allow you to get a pulse on the state of your institution’s security and prioritize which areas should be addressed first. To learn more about the process and the value it can bring to your school, contact us today!