When I saw last week’s New York Times story about the problems universities are experiencing with cyber attacks, my first thought was one of surprise. Wasn’t this kind of story published years ago? Hackers are opportunistic and universities pride themselves on providing free and open access to materials. Cyber attacks on research universities have been happening for some time.
The reality is a lot of R&D takes place at universities across the country and the bad guys know it. If they want to steal the latest and greatest – whether it be patents, new drugs, technology or anything else – it’s likely being developed at a university somewhere. Why wait until it gets into production? Go ahead and steal it now!
I’ve worked with a number of universities throughout my career, and as soon as you start talking about security policies or anything else that might limit or slow access, they get nervous. It goes against the grain at a teaching institution. But today, universities are waking up to the fact that they are just as much at risk as the enterprise. Not only do they possess significant personally identifiable information (PII) about their students, they have valuable intellectual property. Their IP is their Holy Grail and they need to act appropriately to protect the data they’ve been entrusted to protect. Here are my suggestions for university IT departments:
Step one: Review your security policies and where needed, add basic security initiatives and technical safeguards that support the policy implementation.
Step two: Enhance user education. Universities are in a unique and challenging position. Not only are employees, who in theory should be relatively easy to manage, accessing your network, but so are many, many students and visitors. Obviously this group is much more difficult to influence. Most universities require students to complete certain online training programs, typically related to campus safety or other issues of concern before they can register for classes. Consider adding an Internet security program to the list? And your IT team needs additional technical training to cope with the huge number of endpoints that access the network and your data.
Step three. Shift away from “fail tech.” Yes, I’m looking at you, standalone AV. Or port-centric firewalls. Every device that accesses your network is potentially hostile and it’s impossible to keep track of them all, particularly in such a fluid environment. You’re sunk if you rely on blacklisting as your only defense against an aggressive, determined adversary. Instead, look to a defense-in-depth approach that includes whitelisting, which will only allow known, permissible items to execute. Obviously there is never a guarantee but with this approach, you have significantly reduced your risk. It’s critical you look to the next generation of security solutions to mitigate current-generation threats.
And finally, step four. Change your mentality. Though it likely goes against your institution’s ideals, you should limit, at least to an extent, free and open access. Otherwise, your hard-earned IP will be gone and with it, your prestige and revenue. Make it at least a little harder for people to get in, otherwise anyone is going to continue to barge in and take what they want.
Across all industries connected to the Internet (and who isn’t, these days?), the bad guys are opportunistic. They’ll break into any network, rummage around to find any information they can, and if there isn’t a salable market for your data already, they’ll create one.