As of July 30, more than 125 organizations claimed to have been affected by the Blackbaud security breach back in May of this year. Of those, nearly half are schools or universities, highlighting a trend of increasingly complex ransomware attacks on learning institutions. To keep up and stay secure, schools need to be modernizing more strategically.
Colleges and universities have long been prime targets for hackers, because they deal with a lot of sensitive and therefore valuable information – from personal health and financial records of students, staff, and alumni, to research and development data. Schools also tend to have weaker or less mature security programs. Information may be stored on vulnerable legacy systems, transported across vast networks, and accessed by unmanaged student devices. The pervasive use of on-campus Wi-Fi enables outsiders to connect and pose serious threats.
Such a laundry list of access points makes it difficult for schools to maintain secure digital perimeters. A transition to more technical and remote capabilities risks compounding that issue because such a transition means more access and therefore more access points for schools to secure and manage. Without sufficient strategy and oversight, even schools with some level of cybersecurity risk making themselves more vulnerable as they adapt because it’s not guaranteed that existing security measures will still be sufficient. The situation with Blackbaud is case and point.
Blackbaud is a cloud-computing services provider that supplies many of the schools affected by the breach with CRM (customer relationship management) tools, such as platforms and systems for alumni relations or interdepartmental communications. These services reflect schools’ interests in modernizing to improve user-experience and support remote-friendly learning. They also represent extensions of existing security threats. Greater connectivity means more devices accessing schools’ information from a wider variety of networks, including public or unsecure Wi-Fi.
Even relying on a third party to facilitate these exchanges presents vulnerabilities. Hackers frequently target third-party vendors to gain access to the organizations those vendors support. And, due to strict regulations about the handling of student records and data, schools are expected to be responsible for any actions involving that data – even the actions of an external partner.
What, then, is a university to do?
The answer lies in awareness and strategy. Schools need to better understand their third-party information supply chain and how to manage security throughout.
This may sound like an obvious conclusion to draw, but ask yourself: What are the security policies and procedures of your third-party vendors? How do you know that your data is safe with them? What about the students and staff accessing your school’s networks – how do you know they’re following best practices?
Some of the most common cybersecurity issues are perpetuated because organizations trust that the proper measures are in place rather than investigating and evaluating those measures themselves. This is especially true as schools modernize, because not everyone has the technical knowledge to know whether a system is adequately secured and what impacts certain updates will have. Schools, like other organizations, need to develop the strategies, policies, and procedures to ensure that their operations are as secure as they are efficient.
This means auditing the school’s security architecture and creating a blueprint for renovations. This means hiring the talent and expertise to build and maintain those systems, and acquiring the tools to support that talent. This means investing time and resources into educating all users on best practices to keep access points secure, and ultimately establishing a trust-but-verify process to ensure all third-party access meets the university’s security requirements.
Great – but how are schools, especially those already struggling with cybersecurity, expected to address all these points? How much time do they have? How much will it all cost? Where do they even begin?
Rather than getting overwhelmed by the long road ahead and cutting corners or avoiding the journey altogether, schools should think of cybersecurity as an ongoing effort and focus on taking careful, continuous steps forward. All along the way, there are resources and partners available to help. Wipro, for example, offers a comprehensive remote assessment to get universities started by identifying gaps in their security coverage, vulnerabilities in their systems, and potential threats. Wipro then uses this information to help universities align on a security development plan that accounts for their entire information supply chain. Such strategic planning supports resilient cybersecurity programs that are tailored to the specific needs of an organization yet flexible enough to adapt to meet new demands.
Wipro has also formed the Quarterly Cybersecurity Advisory Council, which meets to discuss developments and innovations in cybersecurity. It’s our hope that sharing ideas and experiences will raise awareness among organizations, including those in the higher education sector, and make security best practices second nature.
Change is constant and rapid in the digital world. The keep up and stay secure, schools need to be aware of where they stand and where they’re headed. To start strategizing your development, contact us and ask about our remote security assessments. And check in with our Quarterly Cybersecurity Advisory Council for updates on how to bring higher security to higher education.
To learn more about your securing your data with Salesforce, check out our Appirio blog, Safer with Salesforce, Tips to protecting your data.
Appirio, a Wipro Company is a Premium Partner of Salesforce.org, together they are enhancing the student and education experience with seamless solutions to ensure efficiency, increase engagement, and mitigate risk. To learn more about Appirio Higher Education, click here.
About the AuthorFollow on Linkedin More Content by Emily Rust