Supporting Student Success through Reducing Cyber Risk

Mira Lalovic Hand, CIO and SVP at Rowan University

Mira Lalovic Hand, CIO and SVP at Rowan University

Mitigating information security risk is everyone’s responsibility because our students' futures are at stake.

Disruptive forces in technology can lead to opportunities in today’s business world, and they can also open major vulnerabilities. In this environment, the CIO must lead the charge to identify and manage information security risks, but they can’t do it alone.

To take advantage of new business opportunities securely, you must have the full support of your organization behind you, helping you fight off cyber security threats en masse. This is especially true in higher education, where decentralization can create information gaps and slow response times in urgent situations. Higher education also presents other unique challenges, including that:

• You have to balance security with access in ways other industries do not.

• You have to secure a wide range of data covered by government regulations, including academic, health care and financial records, as well as proprietary research information.

• You have to do all of this with limited resources, particularly in public institutions where state and federal appropriations continue to decline.

So, where do you start? That may seem like an impossible question to answer given the challenges above, but it isn’t. You start by designing the system that your organization will use to defend itself. Developing this system will not be an overnight win. It’s a long-term strategy that takes time and patience to execute, but it’s well worth your time.

Core to the mission of any institute of higher education is helping students learn, and technology has become deeply embedded in the learning process. While a cyber attack can lead to serious financial losses and a significant blow to the institution's reputation, it also endangers students’ ability to succeed. And the threats keep mounting in higher education. A 2022 report from Verizon on data breach investigations found educational services sector is “experiencing a dramatic increase in ransomware attacks (over 30 percent of breaches),” and the FBI issued a warning in March 2021 about ransomware that was “specifically targeting higher education, K-12 schools, and seminaries.”

“While a cyber attack can lead to serious financial losses and a significant blow to the institution's reputation, it also endangers students’ ability to succeed. And the threats keep mounting in higher education”

If you haven’t developed your system yet, now is the time to start. An effective information security risk management plan could mean students are able to keep learning by providing uninterrupted access to technology — even when something goes wrong.

Building Your Cyber Security Army

Your system will be unique to your organization, but it must have these two features to succeed: It must be adaptable, ready to pivot to meet emerging threats, and it must have a strong focus on the people within your organization. People will establish the bulk of your defense. The tools and policies your institution has to secure effective services to the university will make up the rest of your arsenal.

People are your greatest asset. They are also your weakest link. People make mistakes. They may forget to complete a key step when configuring a system, click on a link they shouldn’t or inadvertently hand over their password in a malicious website. Nevertheless, those same people can help you fend off attacks with the right approach. It would be a great mistake to build a defense system where people are not a major part of the solution.

You must empower the community with the information and tools they need to identify and report potential threats. This includes establishing a clear process for reporting security incidents and regularly communicating the process to the university community. It also includes developing a robust security awareness training program that teaches your community how to identify potential threats and targets additional training to individuals who need it. Then, you must charge your technical staff with quickly responding to community reports.

Having tabletop exercises with all layers of management is one key element to your system’s success. Another is the rapport you and your team maintain with the broader university community. This relationship is always intense. IT departments deal with tight deadlines, competing priorities and short turnaround times to deliver services. On top of that, long-term strategies are often updated with new priorities, requiring shifts in direction. Maintaining this relationship can also be difficult as the community may only engage when they need help. As CIO, how are you to respond? With integrity, poise and open and complete communication channels.

You also need to engage at the highest level. Boards of directors who govern universities understand that cyber threats have become a serious enterprise risk, and they are placing a strong emphasis on risk management. You must work with that group to set direction and expectations.

Managing Cyber Risk Amid Other Challenges

Most organizations treat large-scale cyber events as business operations crises. Universities need to do the same, particularly given the current state of higher education. Universities and colleges are competing for fewer traditional, first-time students, the shelf-life of skills in the workforce is shrinking, the value of a traditional degree is under increasing scrutiny, and public financial support for higher education is diminishing in many markets.

With all of this at stake, CIOs cannot afford to put any other initiative ahead of information and systems security.

You will never eliminate risk. But, with the proper technical defenses, communication, training and outreach, you can create an army of supporters ready to respond to whatever comes your way. With the unprecedented number of stressors on higher education right now, creating an effective and cohesive information security risk management plan that focuses on people above all else could make or break the future of your organization and, therefore, your students’ ability to succeed.