Data breaches are one of the main sources of risk for higher education institutions, so it is not surprising that ein the face of the pandemic, privacy and security topped the list of concerns for college and university IT teams. But when teaching and learning moved to homes and parking lots in the spring of 2020, end-user security protection immediately became more difficult to manage, but even more important to maintain.
In a survey of 154 institutions, more than 40% reported that security tasks have become much more important over the past year. The massive shift from the pandemic to remote work and remote learning increased institutional security and privacy risks in numerous areas. For example, the number of home personal devices that store and use institutional data increased exponentially. Privacy issues arose around video conferencing from home, as family members and smart home assistants like Alexa could listen to confidential conversations. Security around video conferencing platforms and the arrival of “Zoombombing” it also became a concern.
As the world moves more and more online, cybersecurity risks will continue to increase in number and complexity, so risk mitigation and protection will become critical to the ability of institutions to fulfill their educational missions. In the future, cybersecurity must be seen as a facilitator rather than an impediment to learning, and campus information security departments should become “the office of knowledge” rather than “the office of no”. They have to iidentify key trends and emerging technologies that will add efficiency and protection to your campuses and students.
The pandemic has accelerated the growth of endpoint devices, including computers, laptops, smartphones, and tablets, which are owned and operated by the average person. With 70% of all security breaches occurring on these endpoint devices, rapid risk detection and response is becoming a necessity for IT security. I as many students, educators, and staff are likely to continue to work off-campus, continuing education for safety awareness, outreach, and communication will continue to be essential.
Institutions should take this into account technologies and practices which make it easier for students and teachers to use cybersecurity best practices. Multifactor authentication requires users to submit two or more tests to verify their identity, which can protect themselves from malicious actors who do not normally have access to more than one factor.
However, MFA can be tricky if not combined with single sign-on, where users can authenticate through multiple related but independent software systems. Through the use of MFA and single sign-on, institutions can do this eliminate the need for multiple usernames and passwords to manage the user experience of students and faculty by providing them with secure access to institutional platforms and applications.
Institutions should also be aware of how they collect and use student data, while maintaining transparent data governance rules. Students expect their institutions to use their data ethically and responsibly, however often missing an understanding of how institutions use their personal data.
Higher education information security officials should increasingly focus on enabling the effective and safe use of all campus technology. These leaders need to work collaboratively across departments and with students improve governance, compliance, data protection, and information security privacy programs. With a focus on effective leadership and implementation of technologies and practices to strengthen overall information security, higher education can emerge from the pandemic capable of better managing cybersecurity risks that will no doubt continue to emerge.
Brian Kelly is the director of the Educause cybersecurity program. He is also an adjunct instructor at Naugatuck Valley Community College in Waterbury, Connecticut, and was previously the head of information security at Quinnipiac University in Hamden, Connecticut.