Curtis Carver is Vice President for Information Technology and Chief Information Officer at the University of Alabama at Birmingham, and a member of T&LU’s advisory board. He has spent decades in higher ed IT, including stops at the University System of Georgia and West Point.
In the first of this three-part series, he looks at what higher ed leaders need to focus on when it comes to cybersecurity.
Lots of things are going on in cybersecurity today, which we can characterize in three themes.
1. Depth of defense still works.
You have to look at all possible angles of attack, and then prepare from there accordingly so that you have an end-to-end defensive strategy for your university. The fact that you’ve prepared for ransomware but haven’t prepared for a denial of service attack or a phishing attack means you’re wide open. You’ve got to have a blend of technology, policy and education training and awareness approaches to address the growing cyber threats.
2. All threats are not equal.
The current threat du jour is phishing, and most IT departments have been ineffective in addressing it. You really need a strong educational approach so that staff are able to determine what is a “normal” and what is an “abnormal” email address, and what to do when something abnormal happens. Be practical with how you handle that, especially with folks who are repeatedly clicking on phishing messages.
For example, we do active phishing training and we have about a 12% click rate, but if you have someone who has clicked on every message of a 12- message campaign, you have a problem. They are not understanding the threat, and then the question becomes whether they’re a viable employee going forward.
Coupled with that is how you do password management. We’ve spent a long time saying you need to have a unique password for every account, and it’s wonderful to put that in policy, but that’s a CYA effort. What is really helpful is providing software that helps users generate unique passwords, and they keep track of that.
Moving beyond policy and helping staff to do the right thing is critical.
3. Focus on practical security.
Do security that actually makes a difference. More is not always necessarily better. Do the math and determine what risks you’re actually trying to ameliorate and figure out how to do that.
My favorite example for this is passwords. Lots of folks say, ‘Hey, we’re going to change passwords every 90 days, and it’s got to be an eight-character password, and we’ll remember the last ten.’ Well, on a 2015 laptop, I can break an eight-character password in two hours. So the fact that you change it every 90 days is meaningless. All you’re doing is driving your users crazy.
At our institution, we have 15-character passwords and couple it with two-factor authentication, and we say your password is good for life. And the reason why? Because we’re good at math. If you took a million PCs, it would take 43,000 years to break a 15-character password, and when you couple it with two factor authentication, there’s just no reason to change it every year because the auditors or compliance staff is not good at math.
In Part 2, we will look at some of the key challenges involved in cybersecurity for higher ed institutions.
We’d love to stay in touch, sign up for the Tech & Learning University team to contact you with great news, content and offers.