Colleges and universities are on a continuous journey toward cyber resilience, a vital undertaking given the ever-evolving digital landscape. While the path forward may seem daunting, especially for those with decentralized decision-making structures and siloed departments, these challenges present unique opportunities for growth and innovation. By addressing these barriers, colleges and universities can create a more unified approach to cybersecurity that benefits everyone within the academic community.
Higher education security and IT departments have often worked in isolation, but the future calls for breaking down these walls to achieve an effective cyber resilience strategy. Aligning priorities and fostering clear communication across all stakeholders — including IT leaders, university management and academic departments — will build a more resilient and secure digital education environment. Based on my experience in the cybersecurity industry, I offer the following recommendations:
Shifting the focus from infrastructure security to data security is critical. Colleges and universities should prioritize protecting sensitive data by developing and publishing a cyber recovery time objective (RTO). This metric outlines the expected recovery time from cyber incidents, ensuring all stakeholders know the institution’s recovery capabilities. Establishing and publishing a cyber RTO involves identifying key parties, documenting communication methods outside the corporate network and creating a recovery plan that includes clean restoration points without reinfection.
- Prevent reinfection and ensure clean recovery
One of the most significant differences between traditional disaster recovery and cyber recovery is the risk of reinfection. Ransomware and malware can persist in backed-up data, leading to reinfection during recovery and elongating downtime. Colleges and universities should implement strategies to detect and eliminate malware from backups, ensuring recovery processes do not inadvertently reintroduce infections. This strategy involves maintaining clean restoration points and implementing robust backup protocols across cloud, on-prem and software-as-a-service environments.
- Identify and categorize sensitive data
Higher-ed institutions handle diverse sensitive data, including criminal justice information and data related to the Family Educational Rights and Privacy Act, Payment Card Industry and the Health Insurance Portability and Accountability Act. Effective data handling starts with information security and compliance teams collaborating to understand regulatory requirements. Identifying sensitive data and its locations within the institution is crucial, as it allows for better investigation of a potential breach, assessment of its scope and appropriate remediation steps. Colleges and universities should deploy measures to scan for under-protected data and develop workflows to address compliance gaps. This proactive approach ensures that sensitive data receives the highest level of protection.
- Implement access control and life cycle management
Access control is vital for preventing unauthorized access to sensitive data. Multifactor authentication and zero-trust principles enhance security, especially for administrative access points.
Higher-ed institutions often face unique challenges due to the life cycle of identity access for students, faculty and staff. For example, students might transition to employees or alums, requiring dynamic access control measures that adjust based on the individual’s role. Effective life cycle management ensures appropriate access and minimizes risks associated with prolonged or outdated access permissions.
- Establish and test cyber recovery programs
Developing a robust cyber recovery program involves establishing a hardened backup environment and provable recovery strategies. Understanding that cyber resilience is a journey rather than a one-time project is essential. Institutions must adopt a multiyear, multiproject approach to enhance their cyber defenses gradually. The process starts with understanding the most critical applications and their specific recovery needs that are aligned with business-driven recovery objectives.
Institutions should prioritize involving key IT, security, compliance and risk management staff to collectively work on cyber recovery strategies. Regular testing and demonstration of recovery processes are necessary to ensure readiness. The goal is to transition from simply having immutable backups to developing effective recovery plans that address the unique challenges of cyber incidents.
BUILDING CYBER RESILIENCE FOR THE FUTURE OF DIGITAL LEARNING
In an era where digital technologies are essential to education, ensuring cyber resilience will continue to be crucial for colleges and universities. Addressing decentralized decision-making, improving data protection, preventing cyber reinfection, managing access to sensitive data and establishing robust recovery programs are fundamental to creating a secure academic environment. Moreover, higher-ed institutions can protect sensitive data by refining data recovery strategies while driving innovation in our fast-changing digital landscape.
Aaron Lewis is the associate vice president of U.S. public-sector sales engineering at the cybersecurity company Rubrik.
