For faculty and staff, the cybersecurity risks in higher education "haven't changed that much," in the pandemic, said Helen Patton, EVP and CISO at Ohio State University, while speaking on a virtual panel hosted by Proofpoint Wednesday.
Higher education had remote contributors and researchers, bring your own device policies, and a campus constantly in transit. The difference with a school year beginning under COVID-19 conditions, is the number of remote workers.
Evaluating the associated risk with "the use case that the individuals want to pursue," is her primary role, Patton said. "No vertical is using video conferencing as much as higher ed and K through 12 is. None of them," she said. "You can go to a bank or a healthcare company or retail company, they ain't using it the way we are."
Higher education CISOs lost visibility when students and staff went home mid-spring semester. It caused them to reformulate priorities and re-evaluate investments. The silver lining is an increased capacity to react faster to security challenges.
"You can't run an incident response type of program for long term," said Erik Decker, chief security and privacy officer at University of Chicago Medicine, who also appeared on the panel. "I actually think of this as like wearing a mask. There's certain hygiene things that you just need to do inside an organization and we need everybody to wear the mask in order to provide the bare coverage of protection for everybody."
Same but different
At Ohio State, students and staff used a training platform with basic security lessons, including how individuals secure themselves, or what websites might threaten identity protection. The school had to pivot the platform in reaction to COVID-19, training users to secure their home network, and offering lessons in phishing scams.
The philosophy of the COVID-19-training reboot was, "if we can help people be secure in their personal pursuits, they're going to bring that thinking to being secure for the university," said Patton.
While awareness training became a cornerstone of universities' security response to the pandemic, it's not without its flaws. "I know there is a trope that says students are technical natives, and they're very sophisticated. My experience is actually not that," said Patton.
In terms of phishing exercises, Patton adopted a similar mindset as Mars, Incorporated's CISO during the initial shutdown. Patton didn't want to further agitate or alienate students "who were just trying to get their job done," she said. The last couple of weeks, however, Ohio State has phished its students to test how "clickable" they are.
Phishing attacks were the one threat that was "fully expected," said Michael Duff, CISO and chief privacy officer at Stanford University, while speaking on the panel. "We recognize phishing as the single greatest threat to our privacy … by a longshot."
Stanford does a "no harm, no foul," bi-weekly phishing campaign with its employees. Still, "I have a somewhat popular view on awareness education, that I see that it has limited efficacy," said Duff.
What's needed are additional phishing protection systems that serve as safety nets when awareness training fails, or a system that blocks 100% of phishing emails 100% of the time.
"Until we reach that day, we still need the awareness training, and we're going to do it," said Duff. "But I have limited faith in the advocacy of awareness and the numbers show it."
As threats continue, Decker recommends security organizations use the inundation as a benchmark for how much risk the organization can absorb.
"To get the best bang for your buck," CISOs should primarily apply resources to attack vectors, instead of determining the credibility of an attack, said Decker. Agencies with more resources, like the Department of Homeland Security, are the ones that can figure out how threats are successful and how credible to perpetrators are.
Stay in the background
Security in the age of COVID-19 is a balancing act. Cyberthreats are at the forefront of every organization, yet it's traditionally been an operation that runs silently in the background.
CISOs need employees and students to be aware of basic security hygiene as well as record-breaking threats. But they also have to be mindful that students and staff are "just trying to work out how to survive in this environment," said Patton. "If I don't have to give them one more thing to think about, I'm not going to do that."
CISOs have to be more selective when they ring the alarm bells this year.
"There's fundamentally no new threat here. These are variations on things that we've been dealing with for decades now," said Duff.
Because there was a degree of expectation to heightened security risks, CISOs might have found limited solace in their "COVID[-19] silver lining checklists," said panel moderator Ryan Witt, cybersecurity strategy director of education at Proofpoint.
At the University of Chicago, Decker emphasizes increasing visibility and response by leveraging a hybrid model with an MSP "to provide tier one security eyes-on-glass," driven by incident response plays. Based on what the MSP can do and what Decker's security organization can do, they have to develop formal plays and handoffs.
Initiatives underway, including new log sources or more visibility touchpoints, were accelerated during the pandemic. It was "just honestly a great learning opportunity and scaling opportunity for the team to kind of think a little differently," said Decker.
Prior to mass-remote learning and work, Stanford relied on on-campus network security and endpoint management, according to Duff. Now Stanford is more broadly deploying advanced endpoint protection and response.
"Chaos breeds opportunity, [and] there are a lot of opportunities here," said Duff. The next round of opportunity is in zero trust because "this is a perfect use case for it." Decker seconded Duff's zero trust claim, saying industry needs to view the concept as a "religion," not a solution set.
COVID-19 has emerged as a rather grim prospect for zero trust's abilities, even though collegiate-level CISOs still have to be wary of presenting zero trust "in a way that aligns to academic freedom," said Patton.
Zero trust in the educational field takes greater convincing because it is in opposition to the way higher education leaders think, said Patton. "We are all about throwing open the doors, trusting everybody, sharing our knowledge with the world. And to turn around as the CISO and say, 'don't trust anybody, validate everything, trust but verify,' is a marketing message that really clangs."