Addressing the Biggest Cyber Threats to Higher Education
An Interview with John Ramsey, Chief Information Security Officer (CISO), and Randy Vickers, Deputy CISO, at the National Student Clearinghouse
October is Cybersecurity Awareness Month, a time to raise awareness about the importance of cyber hygiene for the academic community. John Ramsey, chief information security officer, and Randy Vickers, deputy chief information security officer, at the National Student Clearinghouse, explain how higher education can benefit from making cybersecurity a priority.
What do you perceive as the biggest cyber threats facing higher education today?
Randy Vickers: What I see as the most significant cyber threat to higher education is access to data. Privacy of student records is important. Universities receive grants for the research they conduct, and that intellectual property needs to be protected.
John Ramsey: You can’t go past a news article today without hearing about ransomware. But ransomware isn’t the biggest issue; the lack of preparation and response to ransomware is the biggest cyber threat to higher education.
How can schools combat ransomware?
Vickers: Most ransomware involves phishing, a tactic that entices an individual to click a link through an email or text, which could cause a system compromise. Schools need to ensure the students and faculty receive training on the effects and prevention of phishing.
The number one thing schools need to do to lessen the impact of ransomware is to look at their resiliency. For example, do you perform regular back-ups, and do you test and validate your backups?
What do you say to people in higher education who push back against the use or inconvenience of Multi-Factor Authentication or MFA?
Ramsey: I would respond by saying that MFA is 99.8% effective in countering the most highly sought-after attack vector, compromised credentials, which occurs in 95% of data breaches. It’s really the only solution to prevent compromised credential attacks. It’s a no-brainer.
Vickers: It may cost a bit to put MFA in place, but the cost of a breach is much more expensive. People don’t think twice about using MFA on their bank accounts and social media; it shouldn’t be an issue for them to do it in a work or school environment.
What are the operational risks for schools if they encounter a cyber incident?
Vickers: You need to consider the affected system’s impact. Students may not be able to get online to take exams or enroll in classes, researchers may not have access to data, or recruiting efforts may be stalled. These core aspects keep a university thriving and are the real operational risks.
What should a college or university include in its incident response plan?
Vickers: A plan should include who to alert and when, a detailed communication process, resources on hand or needed for mitigation, and a method for breach notifications. It should also consider any legal aspects involved. A basic checklist is beneficial to know what steps to take. And at the end of a cyber incident, always take time to review lessons learned.
What do you say to a school that is just trying to survive in today’s challenging academic environment to ensure that they’re putting the proper resources and intention into good cyber hygiene habits?
Ramsey: It starts with the core question of how we can help. We can provide counsel and mentor them; we also have best practices in place that they can use. We also have a user group with hundreds of cyber stakeholders that share best practices.
Who is responsible for preventing a cyber incident in higher education? Is it just IT?
Vickers: No, it’s everyone: IT, registrars, faculty, students, and anyone with access to the resources.
Ramsey: Everyone has a role in preventing a cyber incident, from the end-user that receives an email to a business unit that’s designing a system to the cyber team doing the quality control.
How can you reassure customers that the Clearinghouse is keeping their data safe and secure?
Vickers: We regularly have outside experts look at our cyber security capabilities and ensure we employ them properly. These reviews are in place to prove that the data that customers share with us stays secure to the best of our ability.
Ramsey: We go through about 125 to 150 external assessments a year to validate our security posture to the education industry, the financial industry, and the federal government. Also, we trust nothing outside of our network until we have validated it as safe and secure.
John, you have had Randy join the Clearinghouse. Can you speak to that decision and the benefit he brings to our education and other clients?
Ramsey: Randy has a lifetime’s worth of experience on incident response and identifying threats to take care of the users ultimately. He brings to the Clearinghouse, and to all of our learners, the ability to provide a world-class incident response program.
What is your advice for individual learners to make sure they are practicing good cyber hygiene habits?
Vickers: Many organizations provide tips for learners to be more cyber secure, such as the Cyber Readiness Institute, Department of Homeland Security, and the National Cybersecurity Alliance, to name a few. These include advice on keeping your router safe at home, protecting data while traveling, and using multifactor authentication, among other topics.
The Clearinghouse also has a whitepaper, Why Cybersecurity Matters: What Registrars, Enrollment Managers and Higher Education Should Do About It.
Ramsey: All learners are targets, but they can minimize the risk of being a victim. They should know what they click on and where they are going on the internet.
Clearinghouse takes its commitment to student privacy very seriously. We have maintained the confidentiality and privacy of the student records in our care since our beginning in 1993. We are scrupulous in our concern for student privacy and compliance with the Family Educational Rights and Privacy Act (FERPA), which protects students’ privacy rights in their education records.
“You can’t go past a news article today without hearing about ransomware. But ransomware isn’t the biggest issue; the lack of preparation and response to ransomware is the biggest cyber threat to higher education.”
Chief Information Security Officer, National Student Clearinghouse