SANS conducted a survey in June, Higher Education: Open and Secure?, where they surveyed almost 300 IT professionals in Higher Education. Based on the results, Higher Ed institutions clearly have information security concerns and priorities that are a bit different from those of the typical enterprise. You really can't "lock down" Higher Ed: the whole premise of higher education involves learning and freedom to explore. Plus, some of the best hackers in the world are about the same age as Higher Ed students. In addition, with BYOD especially prevalent in Higher Ed, there are many more devices (likely 2-3 per student) and quite a bit of diversity in endpoints. As the survey results highlight, Higher Ed entities are struggling to address these challenges on IT security budgets that might best be described as "lame".
Higher Education entities are strapped for resources for IT security
- 64% believe they need 1-5 additional FTEs to address their needs
- 73% cite lack of budget as a key contributing factor for their staffing shortage
Regulatory / Compliance concerns are prevalent
- 75% must adhere to FERPA for personally identifiable information they handle
- 71% must adhere to PCI-DSS
- 68% must adhere to HIPAA/HITECH
The Family Educational Rights and Privacy Act (FERPA) protects student records from unauthorized access and is a compliance requirement unique to Higher Ed institutions.
Top 4 attack vectors of primary concern for Higher Ed (in order from highest to lowest concern)
- Exploits against internal database systems / servers
- Malware delivered to staff endpoints
- Exploits against websites / servers
- Phishing attacks
The report highlighted 11 primary attack vectors of concern, but the "Top 4" listed above were selected by a much higher percentage of respondents than the rest of the 11. The report also noted that 6 of the 11 primary attack vectors of concern (including 3 of the 4 above) relate to the institution's ability to patch systems and applications, highlighting the need for emphasis on vulnerability management and patching.
They're starting to get concerned about IoT
- 26% are concerned about risks posed by “things” like printers, copiers, scanners, laboratory data acquisition devices, surveillance cameras, door access controllers, vending machines and HVAC systems.
Many reported breaches, and many are lacking the processes and tools necessary for effective detection and response
- 33% indicated they had had one or more successful breaches (that they knew of) in the past 12 months
- 55% of the organizations surveyed don't have formal risk assessment and remediation policies in place (that number rises to 69% for organizations with fewer than 2,000 employees)
- 39% are not using Security Information and Event Management (SIEM)
- SIEM was one of the most common items on respondents' "wish list", along with Monitoring/Analytics capabilities
It's clear from the results that maintaining information security in Higher Ed is not for the faint of heart, as IT professionals within these organizations are challenged to secure a complex and dynamic environment with limited resources.