Wide-ranging experiences and insights have helped institutions mature and sharpen their defenses. When the University of California San Diego campus emptied out because of COVID-19 in early 2020, Michael Corn could see right away that his job would never be the same.
Corn, CISO at UCSD, watched as the number of devices on the university’s network dropped by nearly 50 percent. “It was actually pretty startling,” he says. “People were working remotely, and many weren’t using a VPN, and that meant we couldn’t really see them. ”Corn met with his team, and they soon agreed to prioritize three things regarding cybersecurity.
First, they resolved to accelerate their deployment of a next-generation anti-malware solution. “We needed a product that would let us do better threat hunting and that would provide forensic analysis when something does go wrong,” Corn says.
The department had held off on an upgrade over the years, he adds, because the existing solution seemed to work fine. “But now, there’s been a paradigm shift in the quality of the products that are available, and with the pandemic, we just decided it was time.”
Multifactor authentication was the next item on the list, mainly because the move to offsite work had exposed a gaping hole in the institution’s MFA strategy. It already relied on MFA to secure access to web-based services and email but had never required it for logins to email clients.
“That’s because in the past, the people who were using email clients were usually sitting on campus,” says Corn.
Suddenly, with everyone working from home, his team had to deal with a constant stream of suspicious login alerts from vendors. “Once we had multifactor in place, that went away almost entirely.”
Finally, Corn and colleagues wanted a better solution for securing remote access to UCSD’s campus resources. Prior to the pandemic, they’d relied on Remote Desktop Protocol for their Windows machines.
“Now we’re seeing that, with ransomware events especially, something like 80 percent are exploiting poorly configured RDP,” Corn says.
The IT staff is still assessing its strategy — whether that means putting everything behind a VPN or utilizing Remote Access as a Service — but with all signs pointing to continued remote work for a significant portion of the campus community, a new solution will be in place soon.
Threat Hunting in a New Cyber World
UCSD was no different from other colleges that received a crash course in crisis-driven cybersecurity over the past 18 months.
“We’re in a race with the hackers, and they’re running a relay —sprinter to sprinter — while we’re still running at a marathon pace,” Corn says.
With that in mind, he and other IT leaders are re-evaluating their long-term strategies and adopting new tools to help them stay a step ahead of their adversaries.
“It’s a totally new world from a security perspective. We can’t do security the way we’ve done it for the past 30 years,” says Corn. “We have to start swinging for the fences.”
UCSD, for example, is analyzing what it would take to adopt a zero-trust security model. “The idea that could fingerprint every machine on your network and only let them talk to the things they’re supposed to talk to — that could be a real game changer,” he says.
Brian Kelly, the director of the EDUCAUSE cybersecurity program, says the erosion of the IT perimeter has led many in higher education to view zero trust as the best approach.
“That’s something almost everyone in cybersecurity is focused on: these networks without boundaries, and how to protect them,” says Kelly.
The university CISOs that he’s met have come to view the pandemic as a learning opportunity.
“There were lessons learned around the security strategies they used to allow their communities to operate remotely, but they also really saw the value of collaboration, of talking with each other and sharing best practices,” Kelly says.
Those strategies have included everything from bolstering endpoint protection to evaluating the security postures of cloud technology vendors. Most important, they have emphasized education, showing users what they must do to stay out of harm’s way.
“I think what the pandemic has done is really showcase cybersecurity on campus as an enabler,” Kelly says. Remote work and learning did leave universities more vulnerable to ransomware and other cyberattacks, “but when you talk to these schools, they have a positive story to tell about how they were able to improve and adapt.”
Negotiate Contracts That Ask for Too Much Personal Data
One of those schools is Marist College, where Emily Harris became the inaugural director of cybersecurity and information security officer in early 2020. Since then, Harris and her colleagues have implemented an endpoint protection solution that improves their ability to detect and act on issues of concern. They’ve also rolled out several educational initiatives to teach the campus community about cyberthreat prevention.
Still, she says, most of the college’s security protocols were in place pre-pandemic; they just had to learn to lean into them and to trust them to work as planned. “The big difference was ensuring that while we were in this public health emergency and under pressure to reduce timelines and make decisions, that information security and privacy remained a priority in everything we did,” Harris says.
When it came to working with third parties, for example, Harris and her team talked with department purchasing offices about identifying contracts that ask for personal data and thinking twice about providing information that wasn’t absolutely necessary.
“It’s important to be ready to push back and say, ‘What do you really need to get your job done?’” she says.
Similarly, the pivot to remote learning surfaced a wide range of issues related to privacy. If a class was to be recorded, for example, the institution would need to determine how to securely store and access that recording, and it would need policies to address potential concerns.
For instance, Harris says, “How do you handle students who don’t want their faces on camera? These kinds of issues aren’t new, but institutions like ours that were classically in person now really had to wrestle with them.
Securing the Business Side of Higher Ed
Another organization that’s emerged from the pandemic with a better defense is Connecticut State Colleges & Universities.
“For us, the biggest challenge was on the business side of things — anything that wasn’t student-facing,” says Sherry Pesino, CSCU’s senior information security program administrator.
Staffers across the consortium’s 17 institutions who were accustomed to working face-to-face with their colleagues “suddenly needed a way to securely communicate with each other and share the documents they used to pass between their cubicles,” she says.
CSCU had offered many courses online well before COVID-19 arrived, so it already had most of the security solutions it needed to help faculty and students go remote. For administrators, though, the staff had to start from scratch, and decided the best approach was to build secure portals.
“We’d talked about the need for these portals before, mostly for communicating with agencies outside of our office,” says Pesino. The pandemic pushed the change forward, but with the cultural shift the new technology required, the implementations were far from easy. “Part of it was that the training we provided on how use them was all done remotely,” she says.
Looking back, Pesino says the lessons she’s taken away from the pandemic range from how to securely manage a meeting in Microsoft Teams to how to talk about cybersecurity to people who aren’t IT savvy. Most of all, she says, she’s learned that it’s possible to weather a worldwide crisis “and come out with a stronger security posture in the end.”