Building Resilience: Best Practices for Threat Response Strategies in Higher Ed
This news item was published prior to Apogee’s acquisition and subsequent rebrand to Boldyn Networks in November 2024. Learn more about the acquisition here.
Your data is your institution’s crown jewel, and attackers constantly look for ways they can hack into your systems and gain access to it.
While bad actors pose a threat across industries, higher education is particularly vulnerable due to a lack of resources, expertise, deferred maintenance, and the sheer number of users accessing the network for diverse purposes. In this dynamic digital landscape, you must know how to enhance your institution’s security posture and avoid becoming the latest headline victim of a cybersecurity attack.
In this post, we’ll walk through how educational institutions can create effective threat response strategies—and why it’s so important to have one in place.
The key components of a successful higher ed IT threat response strategy
Threat response strategy in higher ed was fairly straightforward a decade ago—implementing firewall protection and antivirus software, with some rudimentary backup and disaster recovery plans was usually enough.
Today, though some organizations still work with this outdated strategy, the overall tone has shifted. Rather than relying on a reactive approach, higher education institutions must pivot to adopting a proactive, holistic threat response strategy.
Preventative security assessments
When it comes to threat response, prevention is near impossible (more on this later), but what can be done is detect, respond (contain the blast radius), and recover (immutable backups). Rather than waiting for an attack to impact your university, get ahead of it by protecting your data and your users upfront.
First, start at the edge and work your way in, by fortifying your firewall and VPN appliances keeping them patched to the latest versions and auditing configurations; keep any applications publicly exposed patched and implemented web applications firewalls to protect against Layer 7 attacks; implement robust data protection measures by retiring legacy encryption protocols and enable TLS 1.2+ to protect sensitive information such as student records, research data, and faculty credentials; additionally, data at rest should also be encrypted to protect against breach and data exfiltration. Having these protections in place ensures compliance with the Gramm-Leach-Bliley Act (GLBA), which verifies that safeguards are in place for sensitive data.
Beyond your institution’s network core and data, the end users are the next target. If adversaries can’t get through the firewall or the WAF, and they can’t breach the application, they will try to breach your users using various tactics such as social engineering.
Zero Trust principles
To combat threats against your users’ identities universities should employ Zero Trust principles, as outlined by the National Institute of Standards and Technology (NIST) in NIST Special Publication 800-207A, for identity security purposes for all end users—from applicants to professors to the university president. The NIST SP 800-207A is based on the premise that trust is never assumed, regardless of where the access request originates, you must adopt this paradigm shift, assume breach.
Many institutions are wary of implementing a Zero Trust framework—not because they don’t believe in its effectiveness—but because of its prohibitive costs, complexity, and resource-intensive setup. However, in the long run, the initial time and expense associated with setting up Zero Trust more than pay for themselves—especially if your university is able to avoid a costly ransomware attack.
- Multi-factor authentication: Your institution should prioritize putting multi-factor authentication (MFA) in place for identity verification—it’s as easy as having users verify their identity with a code sent to their phone, and it can save you thousands of dollars and countless headaches. Without MFA, institutions are more vulnerable to data breaches, which can take substantial legal fees, regulatory fines, and data recovery expenses to resolve. Additionally, user accounts can be more easily compromised through phishing and spam if the proper authentication isn’t in place. Recovering compromised accounts and investigating security incidents can be time-consuming and resource-intensive for already burnt-out IT teams.
- Role-based access control: Users should only be able to see the information they need, when they need it. Faculty members, for example, should only have access to student grades and records relevant to their courses. These permissions should be set up accordingly when a new user registers in the system, and should follow the principle of least privilege (PoLP).
- Backups: As your institution’s ace in the hole, consider immutable backups of your data as a last line of defense against ransomware attacks. If all else fails, keep a siloed backup of all your school’s data in the cloud. This will ensure that your critical data can’t be altered or deleted, even if your primary systems are compromised. Ideally, even in the event of a ransomware attack, you’d have the peace of mind that your data is secure and can be restored—so you can focus your time on proactive security measures and strategic planning rather than cleaning up after cyber threats.
Recovery and monitoring
No matter how prepared you are, incidents will happen—and the recovery can be brutal. According to the IBM Data Breach Action Guide adversaries are in a network for an average of 207 days before they deploy an attack, and it takes about 70 days to purge the threat from the environment—that’s 277 days to identify and contain a breach.
So, how can your institution minimize disruption from cyberattack?
As with preventative measures, Zero Trust principles are a good place to start. Even when there isn’t an identified threat, assume you’ve been breached. This assumption aligns with the evolving cybersecurity landscape, where proactive measures and continuous monitoring are essential for early threat detection and response. Essentially, this posture helps you identify and contain threats before they become a major issue.
- Implement EDR: In this case, endpoint detection and response (EDR) and extended detection and response (XDR) can help by constantly monitoring and verifying everything in your environment from end to end. EDR and XDR tools are used for real-time threat detection, utilizing telemetry, user and entity behavior analytics (UEBA), and artificial intelligence (AI) to identify previously unnoticed threats.
- Seek expert assistance: For resource-strapped institutions, leveraging external expertise for improved response capabilities can be a game-changer. Services like Apogee Virtual Chief Information Security Officer (vCISO) provide fractional CISO support that helps guide and implement cybersecurity strategies and threat response plans efficiently—without needing to hire a full-time cybersecurity expert.
- Retrieve from a backup: Again, if all else fails, those aforementioned data backups will save you in the event of a cyberattack. Make sure your organization has those in place.
Ongoing monitoring
After implementing robust protection measures and response plans, continuous monitoring and threat intelligence become critical components of maintaining a strong cybersecurity posture. Continuous monitoring involves actively observing and analyzing network traffic, user activity, and system logs to detect any suspicious or malicious behavior in real time. This proactive approach allows your institution to identify potential threats early and take immediate action to mitigate risks.
Instituting 24/7 monitoring also demonstrates a commitment to ongoing improvement and readiness in addressing evolving cybersecurity challenges for everyone on campus.
Staying current with security threats
While network breaches happen every day, the good news is that we can learn from them.
The MITRE ATT&CK Framework is a comprehensive knowledge base for understanding, categorizing, and describing cyber adversaries, as well as their behaviors and tactics.2 In short, it’s a public playbook that identifies attackers and teaches you how to best defend your institution against them.
Staying informed about recent attacks and application vulnerabilities is another great way to know about potential threats before they impact you. Sources like Krebs on Security are a good place to start—particularly, his recent patch on Apple and Microsoft’s latest security holes.
It’s overwhelming to learn about the sheer number of threats in cyberspace, let alone respond to them before it’s too late. Partnering with an industry expert like Apogee provides invaluable support and guidance, helping institutions proactively address challenges and stay ahead of potential cybersecurity risks.
Collaboration with academic departments
Don’t overlook the interpersonal aspect of a strong threat response strategy. Though you need technology to defend your network, building solid partnerships and communication with various academic departments in the institution is important, too.
This collaboration gives you a more comprehensive understanding of potential threats specific to educational activities, research projects, or administrative functions. It also facilitates a coordinated, smooth response to future security incidents and accelerates security training across the university.
Common threat response pitfalls to avoid
Developing a threat response strategy can be daunting, especially when you have so much on your plate. You’re likely grappling with budget constraints, staff shortages, complex IT environments—which makes implementing a robust cybersecurity strategy extra complicated.
We’ve covered some best practices for cybersecurity, but it’s equally important to highlight what not to do.
Overlooking a data backup strategy
It can’t be overstated: having a backup of your institution’s data is paramount. If all else fails, a backup ensures you won’t have to pay an attacker’s ransom and can recover your data as needed. If you don’t have proper backups in place, which are tested frequently, you not only risk losing critical information in a cyber incident, but also may face regulatory, financial, and legal consequences
Inadequate security measures
Institutions without in-house security expertise or with limited resources to allocate to security posture are frequently left vulnerable to cyberattack. Inconsistent patching and updating of systems and software, limited encryption of data at rest or in transit, poor endpoint management, and little to no security awareness and training are just a few examples of practices (or lack of them) that only enhance risk of security breach.
Insufficient user awareness and training
Neglecting to educate faculty, staff, and students about cybersecurity best practices can have severe consequences. If students understand why they’re asked to add an authenticator app to their phones, it creates a more security-conscious culture. Training everyone on campus about the importance of data protection and how to identify bad actors can reduce the risk of human error and lessen the likelihood of successful cyber attacks.
Embracing proactive threat response for a resilient higher education landscape
Going forward, higher ed institutions must move beyond mere compliance and reactive measures. Zero Trust principles are the gold standard for safeguarding sensitive data, preserving your school’s reputation, and maintaining smooth operations amidst evolving cyber threats.
Together, people, processes, and technology create the framework for safeguarding your institution’s IT environment. Training and empowering your people—your staff, students, and other campus stakeholders—to recognize and react to security threats is essential. Building on that training and awareness with processes that guide actions and decision-making is equally important. Finally, leveraging technology, the tools and systems used to protect data and infrastructure, ensures a comprehensive approach to security posture.
If your university lacks the allocated resources to do so, utilizing external expertise through managed services is a viable option. MDR and other next-gen security technologies are complex, time-consuming, and costly to set up, especially if it’s your team’s first time doing so.
Apogee security services help close gaps in security expertise and offer your organization cost-effective strategies for protecting sensitive data on your campus.
Learn more about how Apogee helps fortify your campus IT security posture today.
Sources:
1. IBM, “Data Breach Action Guide,” August 2023. Accessed April 1, 2024.
2. MITRE, “MITRE ATT&CK® Framework.” Accessed April 1, 2024.
3. Brian Krebs, Krebs on Security, “ Krebs on Security,” April 2024. Accessed April 1, 2024.