“Identify the threats most likely to impact your company, and spend your limited funds defending against those,” one expert says.
Campus networks host tens of thousands of devices each day, and while those devices have access to network resources, campus IT administrators must be vigilant as they strike a balance between openness and vigilance.
Finding that balance can prove difficult if IT administrators attempt to address every single threat, no matter how relevant that threat might be to the campus. Many experts suggest focusing on a university’s mission, and adjusting security measures so they support this mission.
Campus IT security staff should determine exactly that, said Dave Cullinane, retired chief information security officer at eBay and co-founder of the Cloud Security Alliance, during an EDUCAUSE webinar to celebrate October’s Cyber Security Awareness Month.
Higher education has a clear need for intelligence-based security that evaluates the most pressing security threats and addresses them accordingly, Cullinane said. Universities face thousands of vulnerabilities each day, and IT staff can’t possibly keep up with all of those threats.
“Identify the threats most likely to impact your company, and spend your limited funds defending against those,” he said.
For more safety & security news, see:
Civil liberties groups question use of anonymous reporting tool
Campus police outfitted with small video cameras
Four Keys to Protecting Students, Staff, and Campus Property
Unfortunately, many campus technology teams are still novices at managing information risk.
Campus technology leaders should demonstrate that they are focusing their resources and efforts on the things that are most likely to have an impact. There are threats that, were they to occur on a campus network, would be catastrophic, Cullinane said. But IT experts should weigh the likelihood of those events. If chances are very small that such an event would occur, funding would be better spent on more relevant security threats.
For instance, many universities are leveraging an increase in student mobile devices by creating apps for student and faculty use. IT administrators should understand the threats that accompany such mobile environments, how real those threats are, and then decide how much money to allocate to risk mitigation, Cullinane said.
Measuring the effectiveness of security plans is one of the most important things to do, but it’s also one of the hardest, he added. Campus IT leaders should review the ramifications of different security breaches, such as the exposure of student or faculty data, and use models or discussion sessions to gain a better picture of what the impact of such a breach might be. From there, they can decide how to quantify that risk in terms of dollars.