By Bob Turner, field CISO for education, Fortinet.
Education technology leaders are continuing to fight the cybersecurity battles. Microsoft reports that education accounted for over 80% of enterprise malware encounters since late February 2022. Sophos ranks education No. 3 in ransomware, with close to 500 attacks occurring in 2021.
While many universities are joining consortiums that provide security operations services, those institutions that have an active Security Operations Center (SOC), are reporting benefits including quick and effective response, decreased costs of breaches and operations, active threat prevention, improved communication and coordination, and availability of security expertise when they need it.
While there is forward motion aimed at providing safe and secure internet experiences for students and faculty, more can be done. With the cost of cybersecurity tools and talent, many programs are “best effort” and usually performed by IT staff who are not full-time security professionals.
Forward-leaning colleges and universities may have managed security services or have invested in a small team of security-focused staff. Others join with partner institutions or state level security operation centers and receive early warning information, allowing them to focus efforts when threats are reported. The rest are still struggling to rationalize the cost for any dedicated security operation.
Data breaches, ransomware attacks and other cyber incidents carry the potential for significant financial damage, among other problems, so colleges and universities have been investing for over a decade in improved talent, cutting edge cybersecurity tools, and continual testing of security controls. They’re also grappling with the need to protect research information and research budgets while also meeting increased compliance requirements that come with sponsored research.
Federal guidelines for protection of sensitive research and administrative data such as the National Institute for Standards and Technology 800-171, the Capability Maturity Model Certification (CMMC), and healthcare information protection laws are major motivators for improved cybersecurity given that personal and regulated data gathered under research projects must be protected.
An EDUCAUSE case study published in 2019 provided a set of common approaches for institutions to use in creating a SOC. An important set of solutions included outsourcing or sharing SOCs. Several universities have provided the SOC as a Service model for other universities’ use. Indiana University also built OmniSOC, which started as a collaboration between five Big Ten universities, and has now grown to serve eight colleges and universities with “after hours” services.
The OmniSOC also serves regional networks and several major National Science Foundation sites. The collaboration’s success is in feeding the local university cybersecurity team with valuable incident or event data. Indiana University is also the home of the Research and Education Networks Information Sharing and Analysis Center, or REN-ISAC, which serves as a clearing house for cyber event data and indicators of compromise.
The challenge for improving cybersecurity in higher education is the business case. Since revenue streams like research budgets, grant money and federal student loans must be protected, there are many questions that education leaders and IT teams need to resolve:
- Is a unified SOC more efficient that maintaining a distributed security operations capability?
- What are the cost and value propositions?
- What is the return on the investment in both capital investment and operating expenses?
- Is a business day or 24/7 facility needed?
- What are the failover strategies available?
Finally, no matter where the education SOC resides, there will be the need for talented cybersecurity experts that are willing to work for public sector wages. Yes, they do exist. The challenge is keeping them after they have enough experience to be useful in higher paying federal or private sector SOCs.
Student workers are a partial solution in higher education, and the use of contract staff for onsite SOC operations and management is another option that lowers overhead operating cost. Staffing cost and budgets for these solutions need to allow for the amount of “quality time” that could be spent managing cyber incidents and events. Cyber incidents rarely go from start to resolved within the contiguous 8-hour work day and many take weeks to resolve.
With the continued challenges education faces, knowing academic and research information systems will be available and data will remain protected is one worry our higher education leaders need to help work its way off the list.