Skip to main content

Cybersecurity And Higher Ed: Practical Advice

(Image credit: Unsplash: Petter Lagson)

Curtis Carver is Vice President for Information Technology and Chief Information Officer at the University of Alabama at Birmingham, and a member of T&LU’s advisory board. He has spent decades in higher ed IT, including stops at the University System of Georgia and West Point.

In the third installment of this three-part series, he provides practical advice that all institutions can employ to improve cybersecurity.

Part 1: What You Need to Know

Part 2: The Challenges

Higher ed institutions often dedicate staff and invest in a blend of solutions to fend off cyber attacks, but there are some more practical actions that can be undertaken to protect a campus. 

1. Take a human-centric approach to security

You have to put your employee who is trying to do work for your institution at the center of the conversation. Try to figure out how you can protect them, and in the least intrusive possible way. 

Avoid putting security at the center of conversation, or using fear, uncertainty and doubt (FUD) as the organizing principle of the case to improve security.

The role of security is increasingly important, but there needs to be increasing rigor around how it is deployed so that it’s effective and practical. 

2. A common mistake is believing that if you improve cybersecurity policy, that’s all you need to do. 

For example, a CIO may think that ransomware attacks don’t work if you have a backup, so they’ll write a policy that everyone should have a backup of their current work. Well, that’s meaningless. What would be meaningful would be to deploy a backup system that’s easy to use for everyone, and then that policy can be implemented.

Do we still need the policy? Absolutely. But enable the right behavior for the policy with the right technology deployments. 

You want security to be actionable by all your employees, and it’s not going to be actionable by everyone if you’re just writing it down in a policy and then saying, ‘Go do this,’ and then not providing the appropriate resources to do it.

3. Build a positive security culture. 

You want to build an environment where all staff buy in and have accountability. 

It’s one thing to say, ‘Don’t click on phishing messages.’ When I first started here, when we had a report of a phishing attack, it took us about 800 minutes to close out that attack, meaning we went in, deleted it from all 25,000 mailboxes and we built an access control list that went into the routers to block that attack from coming in. Today we do it in 2 minutes--from the moment it’s reported, we delete it from 25,000 mailboxes and block it at the perimeter. So if you check your email more than 2 minutes later, you’d never even see the attack. 

Ask your employees to help you build a positive security culture. Say ‘Hey, help be a champion of the campus and report phishing attacks.’ We did this and got a large spike in both people not clicking and in people reporting phishing attacks immediately. 

It’s one thing to not click, but it’s another thing to be part of a community that defends, a part of a neighborhood watch that protects the entire campus.