University Network Security Is Now More Important Than Ever
Considering the high volume of online communications and study materials in higher education, it is essential that college students have easy and safe access to a secure and stable network. Such a vast challenge, however, rarely runs smoothly for the university IT department when trying to maintain network security in such an open operating environment.
Since many campuses have become virtual or hybrid, the college network is more important than ever. Yet, with widespread work-from-home directives, event cancelations, and general uncertainty, there is more opportunity for scammers to take advantage of vulnerabilities.
CMMC Compliance Required for Federal Funding – Does This Affect Universities?
The Cybersecurity and Infrastructure Security Agency (CISA) plans to implement a new rule that would require specific entities to report any cyberattacks and ransomware payments to the agency within a short timeframe. This rule resulted from the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), passed in March 2022.
Although CIRCIA may not initially impact higher education institutions, they should not expect to be exempt for long. Educational institutions that rely on Department of Defense (DoD) contracts for crucial research projects will soon be required to comply with the Cybersecurity Maturity Model Certification (CMMC). This program aims to protect organizations in the defense industry supply chain by ensuring the security of controlled unclassified information (CUI) and federal contract information (FCI). Penalties for non-compliance and cyber incidents may become more severe.
As per the guidelines outlined in NIST SP 800-171 CUI, institutions must fulfill specific criteria to safeguard the confidentiality of CUI in non-federal systems. While college and university CIOs and CISOs may be familiar with these guidelines, the updated CMMC 2.0 version necessitates a renewed focus on compliance. Non-compliant institutions risk losing federal research funding. The CMMC program may also impose further restrictions on peer-reviewed research and mandate that schools demonstrate full compliance before applying for federal contracts or grants.
Will this impact funding for universities?
The DoD has initiated a phased rollout plan for CMMC 2.0, requiring all organizations working with the DoD to comply with CMMC 2.0 by October 1, 2025. This presents a challenge for higher education institutions that rely on DoD contracts and funding for key research programs.
Many CMMC security requirements will be implemented in higher education institutions that already receive funding from the U.S. Department of Health and Human Services (HHS) and the National Science Foundation (NSF). This impacts any system using federal funds, such as student financial aid records – meaning almost every college and university in the U.S. will be affected.
Research institutions with large amounts of funding worry that CMMC’s data access requirements might disturb the flow of information and the examination and publication of crucial research. CMMC will mandate schools to demonstrate complete compliance before applying for grants or research contracts. For numerous institutions, this could result in significant financial consequences.
What can universities do now to prepare for the CMMC compliance deadline?
CMMC requirements depend on the specific DOD entity you work with and the data involved: Universities conducting highly confidential defense research may face stricter requirements than those focused on medical research.
To reduce potential CMMC issues, begin by examining your institution’s security program and the effectiveness of your security measures. Conducting a security posture review can help you identify:
- Your current level of security process optimization
- Gaps in your cybersecurity program
- Risk priorities, so you know where to allocate resources first
- External vendors and partners who need to implement stronger security measures
- Opportunities to save costs, automate, and consolidate processes
Next, collaborate with your regulatory compliance partner to create a roadmap of policies and processes. Additionally, you should schedule a CMMC audit from a reliable third-party provider to confirm your remediation efforts and recognize any remaining gaps.
Data Breaches Are a Growing Threat to Higher Education Institutions
The growing number of cyber threats targeting colleges and universities is a startling reality. Last year, there were multiple breaches of personally identifiable information at reputable institutions, including Oregan State University and Missouri Southern State University. Network vulnerabilities hacked email accounts, and phishing incidents potentially exposed the sensitive data of thousands of university employees and students. The data breaches yielded their names, birth dates, addresses, email addresses, phone numbers, and social security numbers.
Cyberattacks continue to threaten higher institutions because it’s considered a lucrative market for these modern-day criminals. These attacks have the potential to damage universities financially and harm their reputation among prospective students, alumni, and the greater community.
10 Cybersecurity Best Practices for Higher Education
What should your university or college be doing to mitigate risk? Here are some key preventative measures for network security.
1. Prioritize risk management
Educational institutions work differently from commercial businesses, making applying traditional risk assessment methods hard. Nevertheless, protecting crucial assets, infrastructure, sensitive data, and intellectual property in all settings is essential. Research institutions involved with government research must follow CUI guidelines because breaches or compliance failures can affect future funding. To prioritize protection, CISOs, and CIOs at these institutions must be closely involved in understanding the important assets and environments within the university.
2. Build Strong Network Security Governance
A detailed, comprehensive, and actionable information security policy is necessary to define responsible network use. Then, an active culture of shared network responsibility must be built and supported on campus. To increase buy-in around campus, consider developing a cybersecurity awareness campaign to distribute material and examples about cybersecurity.
With increased networking risk, it’s necessary to make sure that everyone is doing their part to keep data secure for everyone’s benefit. Combined with regular staff, faculty, and student training sessions, you can feel more confident when implementing a strong information security policy.
3. Provide Instruction & Support
With so many students and faculty working remotely, the university needs to be clear about shared responsibility. Provide information to all users to raise awareness regarding increased threats.
- Warn the community about the high amount of spam, hacking scams, and phishing emails currently in circulation online.
- Remind staff and faculty of policies and practices related to the transmission of sensitive data.
- Tell users where they can find official information related to remote working policies and campus announcements.
- Identify sources for reliable information and future announcements.
- Instruct network users not to download from non-reputable sources and avoid malicious websites and suspicious links.
- Let users know where they can turn for help. Provide contact information for the IT department or help desk and make it easy for students and faculty to report suspicious activity and unsolicited messages.
4. Identify Vulnerabilities
Preparedness is founded on an accurate assessment or audit of the IT environment. Evaluating organizational policies and practices, assessing implementation and the university’s technology infrastructure is the only way to gauge risk level. Once risks and vulnerabilities have been identified, only then can they be addressed.
5. Follow National Guidelines
Nationally recognized standards, including NIST, provide practical frameworks for universities to develop and improve their cybersecurity programs and policies. It helps higher ed institutions address things like encryption, port access, and multi-factor authentication.
6. Maintain Security Updates
Most universities provide users with virus-scanning software free of charge. Just as the IT department must keep patches up to date, users also need to keep their software current. Now is a crucial time to address vendor vulnerabilities. Encourage the campus community to update their software, antivirus program, and operating system.
7. Set a Backup Schedule
The university’s disaster recovery plan should already have a set backup schedule. In a ransomware attack, crucial data storage can be restored quickly. Cloud-based solutions make this process automatic and help mitigate the risk of downtime and data loss.
8. Secure Network Access
Faculty and students should understand the importance of using the virtual private network when connecting university systems hosted on campus. Network encryption adds an extra layer of security for remote operations.
9. Enforce Password Changes
Users should be required to use strong passwords and change them each semester. Stressing the use of unique passwords decreases the risk of malicious attacks using account credentials stolen from social media and other service providers. Recommending or providing free password manager services can be helpful in enforcing this policy.
10. Stay Alert by Monitoring
College campuses can be complex and difficult to manage using conventional security and compliance methods. It’s crucial for higher education institutions to develop a system for continuous, real-time, and dependable monitoring of critical security measures to protect their environment effectively.
This video by Cisco provides some helpful best practices you can adopt to help secure remote employees and students without overburdening your staff.
Factors to Consider When Protecting Network Security for Higher Learning Institutions
No matter how small or large your higher learning institution, you likely face unique challenges. IT departments are responsible for shepherding a massive, tech-savvy student body and supporting access to a wide range of online resources.
A CIO’s responsibilities at the collegiate level are staggering, considering all the population sectors—including students, faculty, and staff—the different types of devices, remote access, and the storage placement you use, on-site or in the cloud.
Populations Using the University’s Network
Your student body and faculty probably comprise most of your network usage. With students, you must account for those living in dormitories and those working remotely from home or off-campus housing around the clock. Your job managing your student body is your largest responsibility by far.
Educators also use the network heavily, although they are more likely to relegate their network usage solely to work tasks, including research, email correspondence, online classroom platforms, and video conferencing.
Your staff may comprise adjunct teachers, teaching assistants, administrative professionals, custodial workers, security officers, and more. Those who have access to the network, should be assigned different levels of security.
Universities also provide secondary guest networks for visitors on campus. Traffic tends to spike during specific periods; for example, when hosting conferences, sports activities, and alumni events. A separate network makes it possible to welcome guests by letting them use the internet while keeping the college’s proprietary data safe from malware attacks and other potential data breaches.
Devices Accessing the University’s Network
Knowing all the types of devices used to access the network will help you draw up your information user policy. This type of policy is critical in protecting the internal university network where all the most sensitive data is stored. Take stock of all the digital device possibilities, which include:
- Desktops and laptops,
- Smartphones and tablets,
- Other smart and Bluetooth devices,
- Gaming consoles and televisions.
Learn more about our 100% Remote IT Security Assessments & Compliance Attestations.
CMMC Compliance Readiness | I.S. Partners
I.S. Partners, LLC. works with organizations in various industries to help develop risk management programs and information security policies that address specific networking concerns. Please reach out to us by calling 215-675-1400 or request a quote so we can help your higher education institution to prevent data breaches and malware attacks.
Learn more about our complete CMMC compliance services.