If you are like me, data security is a top priority. A recent report by the Identity Theft Resource Center shows that data breaches in the United States are occurring at a record pace this year, and that hacking, from phishing attacks, ransomware, and malware has caused nearly two-thirds of the breaches.
Overall, the ITRC reports that by early August, 10 percent of the breaches in 2017 have occurred in education, resulting in more than 1 million records getting compromised. None of us want to be on that list.
Colleges and universities face new threats every day, so it’s important for IT departments to be proactive and continually work to enhance security. In fact, my team and I regularly meet to brainstorm ideas to bolster security. The key is to take an in-depth approach to safeguarding the network and systems from every threat.
“Statistics show that faculty and staff are an important line of defense against cyber attacks”
Here are some best practices, security tools and strategies that I’ve implemented–and that you, too, can deploy–to protect university data.
1. Perform a risk assessment. It’s important to hire a third-party security firm to perform a comprehensive risk assessment and conduct network penetration tests often.The assessment and tests point out the vulnerabilities you have in your data center and network and allow you to prioritize and resolve those risks.
Sure, you can perform the assessments yourself, but using a third-party organization is a good practice because its team comes in with a fresh eye and no biases.
2. Security training. The ITRC study shows phishing attacks are the cause of nearly half (47.7 percent) of the data breaches this year, while ransomware and malware make up 18.5 percent. After these hacking incidences, the second biggest cause of data breaches is employee error, negligence and improper disposal of data. These statistics show that faculty and staff are an important line of defense against cyber attacks.
It’s critical to create a comprehensive security awareness training program. You can do it through email reminders, face-to-face training and even video training.
Video has worked well for me in the past. You can require campus employees to review multiple security videos from the SANS Institute, such as how to protect passwords or avoid phishing attacks. After each three to seven-minute video, they are required to pass a quiz.
3. Next-Generation Firewall. To defend your network, upgrade your old-school firewall to a next-generation firewall that features built-in intrusion prevention, virus and malware protection, application filtering and the ability to inspect all seven layers of network traffic.
You should also implement SSL decryption on the firewall. It’s not to spy on people. It’s to inspect incoming traffic to make sure nothing like ransomware is entering the network. Without SSL decryption, you have no way of knowing what encrypted traffic is coming into the network.
As an added layer of security beyond the firewall, consider using cloud-based anti-virus software to protect endpoint devices on the network.
4. Network Access Control (NAC). Installing a NAC appliance ensures that the notebook computers that students bring to campus meet security requirements before they are allowed onto the Wi-Fi network. The NAC can double as a RADIUS server, which authenticates users onto the wireless network.
When they sign on, the NAC analyzes the devices and checks to make sure they have the latest anti-virus software and operating system patches installed. If the devices need remediation, users are then sent to the necessary websites to get updates. Once their devices are updated, they can connect to the network.
To further boost security, you can go beyond authenticating users on the RADIUS server. You can also authenticate computers on the network. Machine authentication prevents users from unplugging a computer from the network, and then plugging in their own computer to try to access the network. Through machine authentication, the RADIUS server will recognize that the new computer that is plugged in does not belong on the network and will lock up the port instantly.
5. Patch Management. While the NAC ensures personally owned devices are updated and secure, security patch management tools can do the same for college-owned computers. Every night, the software can automatically install the latest critical software updates and patches to college-owned computers on the network.
6. Mobile Device Management (MDM) Software. The software allows you to manage and monitor college-owned mobile devices, such as tablets and smartphones. You can use MDM software to create security rules, such as the types of mobile apps users can download. If a device gets lost or stolen, you can protect college data by remotely erasing the device.
7. Application Control, Privilege Management and Sandboxing. These three capabilities can provide a multi-layered defense to endpoints. Some software vendors provide all three features in an integrated solution. Some sell them individually. Let me explain what they do.
The Council on Cyber Security lists application control as the most essential strategy for mitigating threats. Application control ensures that faculty, staff, and students are free to access and install the applications they need without compromising security. With this feature, the IT department can allow users to use trusted applications through simple rules and policies. But by blocking everything else, you stop unwanted software from installing or executing, preventing malware from running.
Furthermore, most ransomware and malware can’t work without administrative rights to the desktop. So with privilege management, the IT staff can secure desktops by giving users standard user accounts and removing administrative rights. This feature strikes a good balance because it secures computers while giving users the access they need.
Vulnerabilities in web browsers, productivity software and email attachments create opportunities for malicious code to enter the network. With sandboxing, you can safely contain web threats and isolate malicious activity without restricting users. If a user visits a compromised website or opens an infected document, malware is restricted to the safely contained environment, so that college data is protected.