Six Obstacles to Achieving Cybersecurity Maturity in Higher Ed

Imagine walking through the longest, darkest, most dangerous alleyway in town every night—with wads of cash sticking out of your pockets. You’ll make it through safely many times. Until you don’t. That is the kind of risk you take with hackers each day you don’t have a mature, baseline cybersecurity solution in place.

However, there are some legitimate hurdles to overcome when implementing an approach like CIS Benchmarks. CIS Benchmarks are a collection of best practices culled from experts from around the world. They harden known areas of vulnerability and make hacking, phishing, denial of service and ransomware attacks nearly impossible to commit. Better yet, they have already been proven effective across multiple industries and challenges for over 20 years. With CIS Benchmarks, you’re still walking down that same dark alley, only now you’re doing it in an Iron Man suit.

Choosing a tried-and-true approach is one of the least challenging aspects of maturing your cybersecurity practices in higher education, though. There are six much larger barriers you need to clear first—all of which also make your institution more vulnerable to attack.

1. Resource shortages.

Let’s face it. Cybersecurity isn’t generating income for your school. So it can be hard to justify the budget needed to implement and maintain a solution like CIS Benchmarks. With the average data breach costing $3.5M (not to mention the costs to your reputation), cybersecurity could be a major cost-saver for your school. Here’s the grim truth: when student data is held for ransom or there is a denial of service attack, your school is going to pay. And it will cost significantly more than implementing CIS Benchmarks. Cybersecurity is the ounce of prevention to ransomware’s pound of cure.

Money isn’t the only resource in short supply, though. Qualified manpower is both expensive and hard to come by. If you implement and maintain CIS Benchmarks by hand, you’ll need to hire the staff to do it. Your time is already stretched too thin. The good news is that automation can do all the scanning and remediation for you. That way you can implement and manage CIS Benchmarks with the staff you have on hand.

2. Cultural resistance to change.

Higher Education is renowned for its resistance to change. With so many constituents and so many stakeholders, it’s hard to get consensus on anything. So the established pace has become slow, incremental transformation. And the line between want to have and need to have is hard to cross. Hacks and ransoms are something that happen at other colleges. And because it hasn’t happened to you, the incentive to change is not there. Then, once it happens, the money to fix it will suddenly appear. And the sum is likely to be far greater than the cost of implementing cybersecurity controls in the first place.

3. Employee compliance.

Even Certified Cat Herders find it impossible to get users, faculty and staff to follow safety protocols in Higher Ed. And lest you think Education is no different from other industries, 30% of users in the Education sector have fallen for phishing scams. That’s TWICE the rate of the population at large. There are too many constituents at too many levels of awareness and maturity to keep everyone in line. But instituting CIS Benchmarks, Zero Trust and other security measures can make it much harder for bad behavior to result in a breach.

4. Complex IT environments.

Legacy systems. Decentralized IT infrastructures. Early adopting. Remote users. Supply chain access. All are hallmarks of networks in Higher Ed. And all are places where vulnerabilities exist. These circumstances not only make your systems more vulnerable, they make them harder to protect.

5. Lack of awareness.

The world of CIS Benchmarks and endpoint security is relatively new to Higher Ed. But it’s not new to the world. Some of the most sensitive networks in the nation use the controls and guides within CIS Benchmarks to protect their systems. Agencies like the Department of Defense and FBI use a broader set of controls than CIS Benchmarks, but they have a core set of controls in common. CIS Benchmarks is the right sized solution for the education industry.

6. Complete overwhelm.

You know you need to mature your cybersecurity program and you understand the importance of CIS Benchmarks. But where do you even start? That’s the challenge that thousands of CISOs and CIOs are facing at this very moment. As a result, months and even years tick by with no action. It’s like eating an elephant. You have to do it bite, by bite, by bite.

You can’t do this alone.

There is one conclusion in all of this that everyone can agree upon—you can’t do it alone. You’re either going to have to hire a team to implement a solution. Or you can take the path of least resistance (and least cost) and automate.

When it comes to CIS Benchmarks, SteelCloud is the recognized leader with nearly 15 years of experience automating cybersecurity compliance, from scanning and remediation to auditing, reporting and continual compliance. Our ConfigOS cybersecurity automation solution removes weeks and months from your implementation timeline, taking such a large bite out of that elephant that you can manage it with the team you already have. Which means you may one day complete that backlog of requests while maintaining one of the most secure environments in Higher Ed. The dream is real! To see it in action, schedule a no-obligation demo.