Cybersecurity tips for tight budgets


In today’s increasingly digitized higher education landscape, where IT departments are tasked with managing and securing growing networks with emerging vulnerabilities, some higher education IT executives say their departments are understaffed to wage an uphill battle against cybercriminals and ransomware, which have cost the US institutions billions.

Zachary Meyers

Courtesy: Educause

Experts at Virginia-based IT firm BreakPoint Labs identified the roadblocks and compiled a list of budget-friendly ways for colleges and universities to improve their cybersecurity posture, which the company’s operations director, Zachary Meyers, presented Nov. 2 at the Educause Annual conference .

Proposed initiatives and solutions included blocking external login portals, identifying and remediating cloud security vulnerabilities, implementing phishing training, updating network share permissions, and strengthening password security.

“Academic institutions and educational programs often face a budget or budget constraint every year…and cybersecurity can always be subject to operations,” Meyers said, noting that the company has recently been working with organizations to identify such IT security deficiencies and fix.

“We like to focus on keeping high-ed out of the headlines. They are now a target that is frequently attacked, mainly with ransomware campaigns, hacktivists going to the internet,” he said. “Sometimes it’s very targeted … but often we just see hacktivists doing it, or other groups that have financial incentives or profits.”

Meyers’ panel noted that as universities increasingly rely on new systems to enable distance and hybrid learning, it has become increasingly important for universities to assess what the “internet” knows about their organization. He said IT departments need to know their “external footprint” and ask themselves, “Do you know what internet-connected systems and devices belong to your institution?”

“It’s important to know not only what IP range your institution is assigned, but also what web services are available to the public,” Meyers said, adding that organizations should report unusual or excessive external login and authentication attempts. “We’ve seen a lot of automated lockout policies in higher education… There are ways attackers can bypass those controls and still ultimately get the prize of password-spraying an account compromise.”

The panel noted that many institutions have moved all of their on-prem systems to the cloud or a hybrid model, adding that network and system administrators of traditional on-prem networks often have little to no training with cloud systems . Aside from professional development solutions, Meyers said, IT systems can use tools such as open-source multicloud security audit capabilities, among others.

“We have seen many times that traditional network administrators and system owners dealing with on-premises need to learn how to design and deploy cloud infrastructure with little or no training,” he said. “And that can create security gaps.”

While there are a plethora of issues and vulnerabilities for IT administrators to watch out for, says Meyers, many can be addressed and even avoided altogether by fostering a culture of “cyber hygiene” throughout the organization.

The panel also highlighted the need to improve campus-wide phishing training policies and host sandbox IT security drills for employees, among other solutions.

“At the end of the day, are the end users the weakest link? Not all the time, but most of the time,” Meyers said.

Brandon Paykamian

Brandon Paykamian is a staff writer for Government Technology. He has a bachelor’s degree in journalism from East Tennessee State University and years of experience as a multimedia reporter with a focus on public education and higher education.

See more stories by Brandon Paykamian


About Author

Comments are closed.