Cyber-attacks have become a global phenomenon occurring each day around the world and universities and colleges across the United States are becoming targets of these security breaches (Rogers & Ashford, 2015). The college and university computer systems are critical targets for hackers as their servers are filled with intellectual property that is very expensive, their systems are also proprietary with intricate controlled access that requires little security clearance and based on the fact that cyber protection can be expensive, many higher learning institutions may lack the capital to set-up sophisticated systems. Based on the growing prevalence of attacks, leadership in institutions of higher learning must have an understanding of privacy and information security issues to develop frameworks that mitigate against losses.
Colleges and universities in 2016 were required by the U.S Department of Education to adhere to the regulations highlighted in the National Institute of Standards and Technology in their Special Publication 800-171, which was drafted to present better confidentiality guidelines for intricate data (Ausherman, 2019). Furthermore, in recent revisions, the institutions of higher education have also been required to strengthen their cybersecurity control which requires them to make variations on their data management schemes. In the report, there were suggested changes in the enterprise risk management of data in colleges and universities and the inception of enterprise-level solutions that look into and certify information and access observance.
Also, the Family Educational Rights and Privacy Act (FERPA) defends the confidentiality of student education records and applies to all educational institutions that gain funds under any US Department Education Program (FERPA, 2011). This act offers parents various rights on their children’s education records of which the rights are then shifted to the student once they are over 18 years or go to a learning institution above the high school level. FERPA defends the rights of the covered parties to examine or scrutinize education records, change them or even allow for the disclosure of personally identifiable data under margins stipulated by the act. The educational records include transcripts, disciplinary information; medical records unless those that have been excluded, information on residency and accommodation offered to students and records on the employment of scholars which is linked to their status as a learner. Furthermore, it limits institutions from disclosing educational information of their students without written permission.
The Federal Information Security Modernization Act of 2014 (FISMA, 2014) requires all federal information to be protected (Joint Task Force Transformation Initiative, 2014). In colleges and universities, it is one of the most critical legislation for federal data security standards and procedures and was made public to decrease the security risk to federal data while controlling federal spending on cybersecurity. Colleges and universities that are granted federal funding are obliged to adhere to FISMA guidelines that touch on information system inventory; where every federal institution must keep an available inventory of all the information systems that are used in the firm. Furthermore, the organizations need to categorize their risks to make sure that sensitive data and the systems that utilize it are given the most security. Also, the firms need a system security plan, especially in institutions of higher education, plans which should be updated and maintained. Security controls should also be present and be relevant to the institution of higher learning. Risk assessments should also be carried out to note security hazards in the organization, its business process, and the information system.
Other legal regulations and guidelines are the Gramm-Leach-Bliley Act (GLBA) that obliges financial organizations such as institutions of higher learning to guarantee the safety and privacy of student information (Filson & Olfati, 2014). The Health Insurance Portability and Accountability Act (HIPAA) needs institutions to secure the health accounts of students and other health information through privacy models and also regulate the utilization and disclosure of the data without consent (Edemekong et al., 2019). The Higher Education Act compels colleges and universities that have Title IV Programs to institute policies, measures, monitoring and controlling guidelines that touch on information security while the Student Aid Internet Gateway (SAIG) Enrollment Agreement demands that institutions of higher learning with the same programs ensure that all Federal Student Aid application data is secure (Harper, 2017).
Opportunities and constraints
There exist numerous opportunities for institutions of further education to improve their privacy and formation security with the recent rise in phishing attacks, scams, ransomware and DDoS attacks that specifically target campuses. The first opportunity that is present is the existence of numerous customized solutions that are offered by external cybersecurity teams that are compliant with the relevant legal requirements (Pan & Yang, 2018,). These customized solutions can offer the chance for campuses to meet the unique needs and challenges they face in regards to cybersecurity. For the protection of their sensitive data, there is a need for a comprehensive information security tool or system that is specialized for institutions of higher learning and there is an array of companies that can offer these types of solutions easily.
Another opportunity that exists is the presence of materials and resources that are aimed at enhancing cloud security for colleges and universities. Cloud computing is a critical component for institutions of higher education as it assists in carrying out functions such as payroll management and file distribution, but it poses some security concerns. However, with the presence of materials and assets such as websites and blogs that are aimed at educating users on password security, protocol, the use of two factor authentication practices, examining for due compliance from cloud service providers and offering information on the recent cloud security threats, the management of threats to information and privacy can be understood (Rabai et al., 2013). This information is available to staff, stakeholders, students and even guests in institutions of higher education.
With the presence of antivirus and security system software that can identify threats to personal devices that are used by learners, staff, and guests; there is an opportunity to offer better information security to institutions of higher educations. It is, however, critical that colleges and universities offer appropriate training and come up with the proper security measures targeted at the learners, guests, and staff (Vogel, 2016). This step could involve assisting users to set up device tracking software that offers the ability to erase a device if stolen. Furthermore, the institutions can offer information on the installation of applications from trusted sources only and practicing caution in the granting of permissions especially when accessing data. Highlighting the need for passcodes and dissuading the use of the auto-login process especially those that link to the network of the college or university are important starting points. Finally, insisting on the use of secured wifi networks when accessing the system used by the institution of higher learning should be pursued.
The presence of professionals that offer data security audits that are aimed at offering an understanding of the vulnerabilities present in systems utilized by higher education institutions is an opportunity to enhance cybersecurity (Aloul, 2012). These professionals can easily offer the proper steps needed to control data breaches. The security audits mostly examine the technology assets, the policies that have been put in place by the college or university, and the present training procedures to offer impartial suggestions based on their findings.
One of the chief constraints in a cybersecurity strategy that involves institutions of higher learning is funding (Kraemer et al., 2009). Hardware and software solutions and general IT infrastructure that is updated and recent is expensive. Operating expenses, time and amount of money and capital that are placed on cybersecurity measures are limited and therefore higher learning institutions continue to utilize legacy applications and hardware that put them at more risk of cyberattacks.
Also, laws and regulations that are linked to cybersecurity may limit the extent of cybersecurity programs that can be utilized in universities and colleges (Murray et al., 2012). This limitation is due to compliance issues that may hinder the use of certain resources that may be needed for proper cybersecurity measures and this could lead to poor utilization of resources that may not be well suited for the cybersecurity threat.
Furthermore, staff time and talent may act as constraints, as the ability of the present IT staff to manage cybersecurity threats and risks may be limited (Austin, 2018). Moreover, the institution’s mandate to hire and keep talent may be restricted based on the lack of capital to meet the remuneration packages needed to retain cybersecurity experts. This issue has ultimately led to high turnover numbers of cybersecurity teams in universities and colleges to other information technology markets that can meet their compensation needs. Ultimately, higher learning institutions are constrained in offering a capacity for the staff to learn novel skills and talents within the scope of cybersecurity and this restriction also leads to high turnover rates.
Business overheads can act as constraints as the particular culture of variant groups in an institution of higher learning may determine how much can be achieved based on established policies on security controls (Scully, 2014). For instance, by noting that the IT team will take in a lot of business overhead as compared to other departments in the institution, there may be limitations on the level of fiscal and monetary resources allocated to cybersecurity. This procedure of allocating high, medium and decreased tolerance scores in the varied groups can offer a better perspective on how a college or university may view cybersecurity overhead.
Political capital is another constraint especially when an attack threatens the information security of the university or college. If the present security team has more political capital with the institution’s management, their role in the attack may be overlooked or less scrutinized. Furthermore, political capital may affect how post-incident plans and contingency reports are accepted by the management in the higher institutions, meaning that a proper contingency and cybersecurity report may be discarded if it lacks influential political support and capital, while a poorly drafted cybersecurity plan may be accepted based on the power of the cybersecurity team in the institution (Scully, 2014).
In higher education, accountability may act as a constraint, trickling down from the issue of political capital (Evans & Reeder, 2010). The point revolves around awareness of the culture of accountability in the institution, as it is crucial to develop a proper cybersecurity model and plan. For instance, if the plan depends on the accountability practices of the administrative faculty but the faculty is never disciplined and has a culture of ignoring security alerts, the plan may fail.
Another constraint is calendar time which is the date that the cybersecurity measures should be established and the relevant central resources put in place. The constraint may arise where the critical resources and capabilities may not be present at the time (Wulf & Jones, 2009). In cybersecurity not, all resources will be time-critical and the cybersecurity team needs to identify all the limitations on the schedule and plan decisions that are inclusive of calendar time considerations.
When governance is compelled on cybersecurity teams it becomes a constraint. When authority is offered by the Chief Information Security Officer it becomes a part of the cybersecurity strategy. If there is a competent and faithful cybersecurity team, then the line of authority is simply a channel of reporting (von Solms & von Solms, 2018). In higher learning institutions, this aspect of competency and faithfulness is blurred and many advisory commissions are structured to ensure honesty and participation in the IT department. Oversight committees may be present in learning institutions when there is little trust for the IT faculty and cybersecurity team. These deep lines of authority make threat reporting and mitigation more time consuming and very limited.
Available technological, policy and procedural mitigants
Technological mitigants against cybersecurity attacks in universities and colleges include the use of encrypted and unencrypted wireless networks with colleges utilizing both systems to offer services for faculty, students and guests respectively. Encrypted Wifi uses WPA, an encryption protocol that has not yet been broken. Login Ids and Passwords are also used to provide a certain level of security in association with other processes or procedures. Login Ids and passwords are typically not secure by themselves but require other procedures to make them more secure. A Network File System (NFS) portal is also used by various institutions of higher education to permit users to access their home directory on any computer (Rogers & Ashford, 2015). This is usually done through Internet Protocols that authenticate the clients and modern updated versions of NFS utilize Kerberos technology to make sure that there is the highest level of security to network resources.
Research has been able to show that the development and institution of protective steps are needed in the fight against cybercrime. Various universities and colleges have taken procedural proactive steps against cyberattacks and these include the utilization of shared assets required for cybersecurity to decrease the costs. In this step, the universities and colleges have put their resources together to protect their data (Borum et al., 2015). Innovation that has been utilized in the detection of cyberattacks on a network based on customized algorithms could act as a defensive measure. Moreover, commitments offered through initiatives to bring together universities and colleges in the war against cyberattacks have been instituted as standard procedural practice. Finally, committing the necessary funding on reducing cyber-attacks has been important in securing information in institutions of higher education.
Policy plans presented by universities and colleges in limiting and controlling cyber attacks are first catered towards understanding and properly managing the whole cybersecurity risk profile of the institution of higher learning. This step means that there should be the utilization of secure facilities that maximize the employment of the centrally-shared information security assets between the colleges and universities. This policy structure is known as IT-28 that further offers instances of consideration when particular circumstances bring about the need for specific services that can be still maintained by the local unit (Kappelman et al., 2016). This policy management strategy acknowledges the individual parties at the university and the entire institutions of learning as a whole and it carefully balances all the problems in a college or university through the deans; by addressing the concerns of individuals that are for the reduction of risk and those that want the intellectual freedom to practice teaching and learning.
One of the primary best prevention practices in addressing privacy or information security issues is securely storing data. Securely storing data is critical for higher education institutions as most cyber-attacks and threats target data from universities and colleges, which is a reason why cybersecurity, emergency management, IT personnel, students, faculty and administrative staff must take up measures that secure their data. These security breaches could be of dire consequences and critically impact the perception of the learning institution, its operations and also finances. Securing data storage should involve the institution of consistent data back-ups that even if a cyber attack can gain access to the data, these backups can assist cybersecurity teams to retrace the breaching steps, to gain knowledge on which systems and applications were compromised (Hu et al., 2012). This step will also help higher education administrators communicate the required information to those that were affected.
There should also be the creation of access control lists and firewalls. The creation of a control access mechanism is a proper mitigation system to utilize in a bring-your-own-everything model that exists in higher learning institutions. Being able to access control lists and firewalls by the relevant authorities and parties will enable the provisioning of the user and investigative support data pre, during and following a data breach. It is suggested that the access control lists are reexamined consistently to make sure that they do not continue to accommodate staff that have moved away from their positions and also to incorporate novel staff that is coming into the higher learning institutions (McGettrick, 2013).
Furthermore, there needs to be the development of policies that guide on secure deployment, maintenance and allowed the use of higher education data (B. Kim, 2014). Different parties are involved in cybersecurity mitigation and protection in higher education institutions. These are IT staff, emergency management parties, cybersecurity companies, staff, learners and even guests. There should be policies that highlight the mode of action or inaction that can help limit cyberattacks, for example, guidelines that state IT staff should be aware of the state and federal legal guidelines relating to information security and privacy before they can take up tasks on support deployment and protection. The regulations and measures on secure deployment and protection can be harmonized with policies in a cybersecurity annex in higher education security emergency operations plans. Moreover, it is suggested that recent staff, learners and guests gain consistent notices and reminders that are connected to proper data utilization and those dependable use regulations are promoted in the orientation stages of novel staff, visitors and learners.
Networks should also be monitored cautiously due to the current growth in cyber attacks and hazards. Network monitoring should become a consistent activity in the departments of higher education institutions (Beyer & Westendorf, 2010). By carrying out vulnerability scans, which is one of the techniques that can be utilized, IT attacks and risks assessments can be used to expound on the plans of action that can deter potential attacks. Based on the size of the campus and the systems that connect the different departments and institution networks, network monitoring can be a long task that could need the assistance of other secondary parties such as cybersecurity firms to gain suggestions on which cybersecurity measures may offer the needed support mechanisms.
In responding to a threat, the model of action or inaction is dependent on the nature of the cyber attack experienced. For instance, if financial data is breached, higher learning institutions can utilize Student Aid Internet Gateway as a reporting mechanism, furthermore, if the operating systems are shut down, emergency plans must be activated at once to make sure there is a stable learning process and that there is little interference. In a variety of instances, the response to a threat needs the assistance of external parties such as the Federal Bureau of Investigations or other private cybersecurity companies (Liu et al., 2017). University and college cybersecurity and emergency task forces must review on how their responses will be directed by similar models. They should also highlight the systems of action for several cyber threat variants in the context of their Cybersecurity Annex in their emergency operations plan.
The recovery procedures from cyber-attacks should be centered on the affected individuals, policies and innovation. In the devising of plans for recovery, Chief Information Security Officers should be able to look into how the recovery process touches on the mentioned areas. For instance, if operating systems are uninstalled because of a cyber attack or even as a protective mechanism, the relevant professionals will have to strategize towards recovering the operating systems and its functions. Moreover, they will also need to alert the affected parties, such as the students and faculty about the contingency measures that will be instituted until the restoration of previous capabilities. Finally, the recovery team should take up some measures to reexamine, train and consistently remind critical entities on policies that may be put forward to limit future attacks. Post-incident reports and special monitoring should follow the event and higher learning institutions can examine the achievement of recovery work and move towards reinforcing forthcoming recovery processes (Diaz et al., 2017). These recovery plans should cut across all departments from academics to finance and also be inclusive of the psychological and mental recovery of those affected.
Plan to manage the risks in Higher Education (Universities and Colleges)
In managing the risks that are involved in cybersecurity in universities and colleges there needs to be efficient planning that is reliant on continuous analysis and contrasting of threats and hazards an institution of higher learning is facing. The first step is to form a joint planning team by assigning personnel that has a function both in cybersecurity and controlling emergencies. This group may include the IT faculty, cybersecurity staff, outside data security professionals and federal authorities that are focused on supporting higher learning institutions (Dean & McDermott, 2017). In the consideration of the planning team, it is critical to note that the people and groups will be required to assist in the prevention, protection, response, and retrieval in case of an attack. There should be a consistent assessment of the labor-capital that is present which can assist in offering support in understanding cybersecurity threats and novel technologies.
In the second part of the planning process, there needs to be a perception of the probable threats that may affect the institution of higher education and its adjacent environments. The collaborative planning group needs to first note the probable cyber threats and dangers. This information can be harnessed from cybersecurity networks and federal organizations that offer informational support to universities and colleges that are looking to examine the array of possible threats (Vogel, 2016). After the identification of the potential risks, the planning task force should be able to examine the cyber risks to their networks, and finally, note the weaknesses present in their systems.
The next steps should involve developing the objectives and channels of action that will assist in forming a model for the cybersecurity annex that will be a part of the emergency operating plan of the university or colleges. With the cyber threats that have been identified in the previous step, the cybersecurity, emergency management teams and faculty can move forward in coming up with goals and objectives on every risk factor. The group should furthermore focus on the goals and objectives that are structured towards reaching the best results for pre, during and post cyber-attack incidents (Bayuk et al., 2012). For example in a pre-cyber-attack incident, the plan should offer the prevention guidelines that limit the financial department from releasing student financial data, with the objective being to require all faculty to take up a cybersecurity class every week. During an episode of a cyber attack, the course of action should be the examination of the origin of the security breach in association with entities from external bodies. The objective, in this case, would be to have all staff make reports that involve security breaches to the relevant authorities. After a cyber-attack, the course of action would be to enhance information security programs for the finance department, to establish monthly changes on the training manual to offer more information on how data can be infiltrated by criminals. Institutions of higher education in their action plans need to outline the action-level needs to deal with cybersecurity overlap in various affected sections.
In the next step, the plan should harness information from the previous procedures and ensure that the annex or plan conforms to the state, local or federal guidelines to allow for an easier approval process and furthermore ensure that institutions of higher education are in compliance with information security guidelines (Bayuk et al., 2012). The chain of command is also identified in this stage, pre, during or post cyber-attack incidents and the functions of critical stakeholders that are involved in the deterrence, retrieval and recovery processes noted. In the finalization of the plan, stakeholders must be trained on cybersecurity, and these parties include, students, staff, and guests using exercises such as drills. The universities and colleges should come up with after-action assessments to highlight lessons learned and come up with corrective mechanisms.
It is evident that cyber-attacks are present and their sophistication continues to grow. The attacks have become more creative and complex and therefore academic institutions must accordingly react in proactive and also reactive steps in handling these problems. There is a need to consistently offer current mitigation modules and resources that can assist the institutions of higher learning to remain watchful and adhere to legal guidelines. Boards that govern campuses should also be aware of the risks that are present in their network systems and work to keep them secure and confidential. Campuses should rationally adopt cyber-risk frameworks that are inclusive of mitigation strategies that are aimed at prevention and recovery. By understanding the relevant constraints and opportunities that are present in the information security space, campuses can evolve to address their shortcomings while utilizing present resources. Therefore in designing plans all relevant bodies associated with the institution must be part of the process to address vulnerability issues in human capital. Cybersecurity plans are critical in offering procedural strategies before, during or after a cyberattack and this can be useful in limiting the losses that are incurred during cybersecurity breaches.
PLACE THIS ORDER OR A SIMILAR ORDER WITH BROOK WRITERS TODAY AND GET AN AMAZING DISCOUNT