Blog

You’ve Just Been Hacked

By March 4, 2020 March 18th, 2020 No Comments

Cyberattacks on colleges and universities are increasingly frequent and damaging. The cyberthreat to higher education overall is significant and likely to grow for the foreseeable future. Meeting the challenge, especially in higher education, requires strategic thinking and institutional strategy must come from cybersecurity-specific strategic thinking. Three important domains aligned with cybersecurity as related areas of importance today include governance, risk management, and compliance. These domains are related in the sense that people, process, and technology work together to create infrastructure, culture, and programming to minimize risk and instantiate a healthy, safe, and productive technology environment.

In responding to cyberattacks, the majority of “post mortem” examinations of the attacks result in findings related to low levels of awareness, preparedness, and integration of cybersecurity, governance, risk management, and compliance. For example, lack of an effective data governance structure could result in lax attitudes with regard to who can access enterprise data. As another example, risk management policies that allow weak password strength or infrequent resets may expose the institution to cyberattack. Conducting the business of education in today’s digital world creates new challenges in protecting institutional assets, ensuring lawful compliance with state, federal, and international mandates and regulations, and managing to acceptable levels of risk.

As seen recently in public media what are now regular reports of cyberattacks against higher education institutions, and civil litigation related to lack of compliance with the Americans with Disabilities Act (ADA) and subsequent damage awards, the accelerating need for cybersecurity, governance, risk management, and compliance is evident. These critical domains, addressed through the EdgeSecure practice area, are of concern to every higher education institution. EdgeSecure specifically highlights these areas of concern and provides solutions through a trusted partnership to Edge member institutions.

Cybersecurity is the Poster Child for Conditions of Uncertainty

Thinking about cybersecurity from solely a risk-based perspective or as the risk part of an information technology strategy will not result in the most efficient allocation of resources, nor will doing so align the institutional cybersecurity efforts. Cybersecurity demands a strategic approach because it is difficult, rapidly changing, and breaches are potentially devastating to a college or university. Cybersecurity differs from either information technology or business operations because the practice is adversarial, reactive, and asymmetrical. Cybersecurity efforts must be closely aligned to the institution’s overall strategy and must complement the institution’s information technology strategy. Failure to think and act strategically generally results in an inefficient use of resources and as a result, increases institutional risk.

External environment inputs to cybersecurity strategy involve threats and constraints. A comprehensive institutional strategy must identify the institution’s information assets and the impact of a successful attack on them. Understanding the value of the asset(s) to attackers provides insight into the likelihood of an attack(s) and the level of effort adversaries will expend to compromise those assets. EdgeSecure’s assessment and analysis provides a risk-based prioritization for defending data and other information assets. Edge recognizes that institutions have limited resources to expend on cybersecurity. Institutional resources may include not only funding and staff, but also intangibles like reputation, political capital, and accountability. Edge understands that an effective cybersecurity strategy must address the most serious threats while staying within the constraints of the institution.

Cybersecurity strategy must be long-term, be effective in the midst of uncertainty, prioritize resources, and provide a framework for alignment throughout the institution. EdgeSecure works with member institutions to develop an effective plan through assembling cybersecurity strategic patterns. In addition, a matrix that matches the functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework to people, process, and technology can provide a visual representation of the implementation of the cybersecurity strategy for the institution. Finally, sequencing the contents of this matrix, EdgeSecure can create a roadmap of projects, initiatives, and efforts to execute the strategy. Beyond offering a risk-based approach, the EdgeSecure strategy will effectively allocate resources and align efforts.

The term cybersecurity risk management refers to the ongoing process of identifying certain risks and implementing plans to address them. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets. Risk management should be part of the information technology strategy. Risks include threats to such areas as disaster recovery and business continuity, availability, and confidentiality, and also involve determining how much risk an institution can tolerate versus the costs required in mitigating those risks. Business continuity, availability, and confidentiality represent risks that are core to cybersecurity, and an area where information technology strategy and cybersecurity strategy overlap and must be aligned. However, checks and balances must occur and making the institution’s cybersecurity strategy a subset of the information technology strategy is a common mistake.

What Makes Edge’s Approach Unique?

EdgeSecure applies a unique approach in service to member institutions. Three characteristics of cybersecurity create a foundation for Edge’s unique approach. First, cybersecurity should be a function of the institution’s strategy; second, cybersecurity strategy should be proactive; and third, cybersecurity is asymmetrical. So let’s unpack this approach a bit more.

Cybersecurity should be a function of the institution’s strategy.

The purpose of cybersecurity involves protection of the institution’s information assets. An institution curates data and information to better fulfill its mission and provide for competitive advantage. Accordingly, two questions are key to developing a strategy: (1) “how does cybersecurity enable the institution to conduct business?” and (2) “how does cybersecurity risk impact the institution’s business?” Not unlike information technology strategy, a standalone cybersecurity strategy would not make sense. Applying “security for security’s sake” would have questionable merit. A cybersecurity strategy must complement the overall institutional strategy as well as the information technology strategy.

Cybersecurity is reactive and not proactive.

Edge encourages member institutions to think proactively about cybersecurity and have called their strategic approaches proactive. Perhaps it is semantics, but a difference between acting proactively in a tactical sense and having a proactive strategy can exist. As an analog, institutions cannot look for bad actors and arrest them, or destroy their capability before they attack. In the alternative, a proactive strategy means acting before the bad actors act—either to beat them to a goal or to degrade their ability to obtain their goals. Institutions can prepare for attacks before they happen, but can’t act until they occur. The bad actors still pick the time, the place, and the method of attack.

Cybersecurity is asymmetrical

Bad actors have options that institutions do not. Higher education institutions must operate within an ethical and legal framework, thus limits and boundaries of behavior are in place. Institutions have antithetical situations and agendas to the bad actors. As a result, bad actors can often initially gain the upper hand. In most cases an institution has cyber insurance to help reduce risk. Cyber insurance can be complicated and require assistance in determining if policy terms and conditions are adequately in compliance. Moreover, Edge provides for comprehensive review of cyber insurance to determine if the institution is in compliance with policy terms and conditions. Where gaps are found, recommendations for remediation are provided, as well as solutions implemented.

Improving Member Institutions’ Security Posture

Cybersecurity risk management involves the ongoing process of identifying certain security risks and implementing plans to mitigate the risks. Risk is determined by considering the likelihood that known threats will exploit vulnerabilities and the impact they have on valuable assets. Cybersecurity leaders in higher education spend a relatively small percentage of their time developing strategy, but this activity is likely to have the largest impact on their institutions. Having a strategy that evolves to adapt to a changing environment can make a good security program into a great security program. A well-thought-out strategy empowers an institution to act in alignment with itself, efficiently moving toward common goals.

Many institutional leaders do not know how to create an effective cybersecurity strategy. The cybersecurity challenges faced by higher education institutions can be overwhelming. Acknowledging that oftentimes higher education institutions face nation-state bad actors, colleges and universities are essentially small cities with almost every kind of critical and sensitive data associated. Mixing in higher education’s core values of autonomy, privacy, and experimentation presents additional significant challenges in cybersecurity.

A first step in facing these challenges involves developing and executing a workable strategy. Edge finds that many approaches considered strategies really are not. Well-intended approaches can include “risk-based security programs” or even “risk-based strategies.” However, risk represents only one component of a strategy. Focusing only on risk leads to tactical decisions, rather than strategic decisions. Other components include increased regulation and compliance standards from state, federal, and international agencies. Meeting regulatory and compliance requirements should be a strategic goal, but does not constitute an overall strategy.

Governance, Risk Management, and Compliance (GRC)

As government regulations spread around the globe, geopolitical, regulatory, legal, and compliance risks also continue to present challenges for higher education institutions. With today’s proliferation of laws and rules, and the increase in stakeholder expectations, Edge members may be more vulnerable to compliance risks than ever before. While many institutions are still taking a passive approach to managing compliance risk, today’s issues of risk change at the speed of business, so institutional strategy and process must also change quickly.

In fact, regulations are changing so rapidly that the passive, reactive ways of managing compliance risks might cause institutions to fall behind and leave them exposed to larger regulatory or reputational risks than necessary. Edge finds that some member institutions are finding ways to better manage compliance risks and be more risk intelligent, which involves being more aware of current risks. The need for an integrated compliance model across the institution to keep compliance risk in check, and to ensure that policies are followed at every level in the institution has never been stronger.

Edge suggests to member institutions a holistic approach toward managing compliance. The approach involves providing a single, enterprise-wide solution toward compliance management. The benefits of the Edge integrated compliance strategy include reduced operational risk, reduced costs, enhanced student, faculty, and staff experiences, and more. Compliance management and risk management are related; however, they are not the same thing. Risk management involves predicting and managing risks to help an institution protect itself from risks that might eventually lead to non-compliance. Notably, the term compliance management refers to the process of managing compliance within the boundaries of a timeframe and budget. Non-conformance to compliance regulations also represents risk.

Edge’s Approach to Cybersecurity and GRC

For compliance management to be successful, an organization must do more than adopt the right tools and strategies. Institutions must create a culture of compliance across the entire organization. Ideally, adherence to compliance should not be imposed on employees, but instead, should come from within. A governance, risk, and compliance (GRC) framework is known to be an effective method of identifying and mitigating threats. Edge provides consultative support to member institutions in the areas of information technology policy management, information technology risk management, compliance management, threat assessment and vulnerability management, vendor risk management, and incident management.

Six ways in which Edge approaches cybersecurity and GRC management differently include:

1. Increasing collaboration
Edge serves to increase institutional collaboration and functional integration among all those who are involved in various areas of compliance, including senior managers and the compliance and risk management teams. Use of automated workflows helps facilitate enterprise compliance management.

2. Adopting a unique institutional compliance strategy
This approach helps member institutions gain a competitive advantage through well-planned compliance management programs.

3. Providing a framework to manage compliance risk
Edge works with member institutions to improve compliance risk management by building a framework and methodology for assessing all risks. Edge’s compliance framework involves a set of configurable guidelines and policies that determine how an institution can adhere to compliance regulations.

4. Providing training
To better manage compliance risks, institutions need a well-defined process as well as well-documented policies, procedures, and guidelines. Edge provides training to assist member institutions in making everyone aware of all related laws, regulations, and policies.

This service represents a vital part of creating a culture of compliance.

5. Establishing enterprise-wide institutional risk management process
Risk and compliance should be integrated into an enterprise-wide institutional GRC process. This action will ensure that any risks and compliance issues faced by the organization are not considered in isolation. Edge works with member institutions to make timely and well-informed decisions in establishing a compatible enterprise GRC process.

6. Combining technology and tools
Applying the right combination of technology and best practices can make your compliance process more effective. Edge’s approach to managing compliance risk involves implementation of tools that can extract data from an institution’s digital systems to determine any deviation from desired policies.

All Related Aspects

Higher education institutions cannot have a robust risk management program without compliance, and vice versa. However, to address compliance and risk management, institutions should have distinct approaches and execution tactics for both. Non-compliance is a risk, but risk management is not compliance. As a result, risk and compliance should be dealt with differently. The correct GRC strategy can tackle both compliance and risk management.

Typically, an Edge compliance team assesses the existing program, which includes evaluating the process and technology and analyzing ways to improve how compliance is being managed. The Edge compliance team also manages a budget to invest in any new technologies needed to attain the desired objectives, and assigns resources to reach the goals and objectives.

Don’t Leave Your Institution at Risk

By most predictions, cyberattacks on colleges and universities will continue to increase at an alarming rate, and state, federal, and international regulations demanding compliance will continue to scale as well. No institution is exempt from cybersecurity and GRC threats, and passive allocation of resources and efforts will not sufficiently provide a comfortable level of protection and risk mitigation. Edge understands the complexities of cybersecurity and GRC programs, and works as a trusted partner with member institutions to create infrastructure, culture, and initiatives that align with people, process, and technology to advance the mission and vision of the institution in a safe and productive ecology.

For more information on how Edge can help your institution with cybersecurity, governance, risk management, and compliance, email info@njedge.net.