Cybersecurity 101: Creating Higher Standards for Higher Education

As the 2021 fall semester began in community colleges across the nation, two schools had to close from cyberattack. In July of 2022, another college took down its phone and online services for a month due to a malware attack. And in May of 2023, a group used a vulnerability in the app MOVEit to breach hundreds of organizations, including colleges. From ransomware to ghost students, cyberattacks are rising within institutions of higher education, exposing student data and research and even holding data for ransom.

Institutions of higher education, and specifically community colleges, are excellent targets for hackers. The amount, variety, and sensitivity of data stored in their databases makes hacker mouths water. The usually decentralized aspect of the organization means there are more vulnerabilities to exploit. And the sheer number and variety of users on the system creates innumerable avenues for attack.

In recent years, and with its hybrid and distributed communities, the higher ed sector has hosted a breach-a-palooza for bad actors. As a result, the temperature within the industry is changing from “why would anyone want to hack us?” to “whoa, we needed to address this yesterday!” In fact, cybersecurity—specifically balancing cost and risk in building overall institutional resilience—topped Educause’s Top 10 list for 2024. The situation is immediate. But where do you even begin?

Figuring out why higher ed is such an appealing target.

While still shaped by societal trends, so many aspects of higher education make it unique among regulated industries.

• The number and distribution of students, staff, faculty, and service providers.
• The online and hybrid aspect of course delivery.
• The amount and sensitivity of research.
• The hierarchy needed to create change.
• The number of legacy apps and systems.
• And the existing overall state of cybersecurity readiness.

Exacerbating this situation are a lack of information sharing and significant underreporting of incidents, though that is changing in some states. Add it all up, and each of these unique aspects translates to multiple vulnerabilities bad actors can exploit.

Like everyone else, however, higher ed struggles with cybersecurity workforce issues. This is true in both SLED institutions and private ones. The people who do this work are very expensive and hard to find. The learning curve to establish new standards of cybersecurity is high. And time is short. It’s a common story in regulated industries. While there are many procedures and policies you can enact to tighten security, most are finding that system hardening to established standards delivers the most bang for the buck. In many cases, it is mandated. But when it’s not, it’s still the smartest thing you can do.

Creating cyber resilience by meeting STIG and CIS standards.

The two most prevalent cybersecurity standards in regulated industries are STIG and CIS. Both provide detailed lists of areas that need to be addressed (known as “controls”) to fortify your servers and workstations. Security Technical Implementation Guides (STIGs) were created by the Defense Information Systems Agency (DISA). And CIS refers to a series of Benchmarks to meet (similar to controls) as prescribed by the nonprofit Center for Internet Security (CIS).

Meeting either one of these standards will put your systems on par with the system hardening used to protect our nation’s most sensitive data. But just because you’re aligning with standards doesn’t mean it’s easy. When done traditionally/manually, it can take months of hair-pulling effort to achieve a secure baseline. And then quarterly updates are released and you have to do it again. Meanwhile, you’ll need reports to document your compliance for auditors. It becomes an all-encompassing job where you are constantly struggling to keep up. Which is why everyone from government agencies to higher ed is looking at automation.

Seeing how all this works in an actual implementation.

In a real-world example, a community college system wanted to secure the more than 20 colleges in their network. The client was familiar with government security standards, so he felt that STIGs were more than he needed in the State & Local Government, Education sector, so he identified CIS Benchmarks as the standard he’d like to meet. Implementing the Benchmarks manually with his small team, however, would take months and he wanted this initiative done yesterday.

The client explored automation options and chose the solution the government agencies have trusted the most—SteelCloud’s ConfigOS. In the first week of testing (not months) he brought one of his test environments from 14% to 95% compliance. Training was easy and now scanning and remediation of Benchmarks is effortless and well within his team’s capability and bandwidth. He also really likes the ease of reporting so he can quickly dispatch auditors when they come knocking.

Making sure you’re ready when hackers come knocking.

Like many other highly regulated industries, the higher education sector is looking to increase their cybersecurity posture amidst constant threats. Many are doing that by adopting proven compliance standards like STIG or CIS Benchmarks, whether mandated or not. However, the labor market is not cooperating—there are an estimated 700,000 vacancies in cyber-related jobs in the US.

The solution of choice is automation—automating the processes of scanning, remediation and reporting, while enabling continuous compliance for optimal security. SteelCloud’s ConfigOS is the leading compliance automation solution in our nation’s most sensitive environments. Step up your readiness and whip your systems into shape in hours, not months. Schedule a demo and see how you can both strengthen and simplify security while saving money.