It’s (Not) Academic: Cybersecurity Is a Must for Universities and Academic Medical Centers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.natlawreview.com/article/it-s-not-academic-cybersecurity-must-universities-and-academic-medical-centers

Cutting-edge research institutions need cutting-edge cybersecurity to
protect their IP and critical personal and financial data.  Universities
hold vast repositories of valuable information, including student
healthcare information, patient information from academic medical centers,
and financial and personal data from applicants, donors, students, faculty,
and staff.  So it’s no surprise hackers have been targeting universities
lately—in fact, at least eight American universities (including Harvard, UC
Berkeley, University of Maryland, and Indiana University) have announced
cyber intrusions over the past two years.

With the cost of a data breach averaging $3.8 million,[1] universities
cannot afford to pretend cybercrime won’t happen to them.  For institutions
with health records, the financial costs can be even greater (as high as
$360 per record!), due to the high value of health records on the
internet’s black market, the “Dark Web.”

But, the dollars may not mean as much as the bad PR—having your
institution’s name in national headlines, risking research funding from
governments or corporate partners, losing protected and sensitive IP,
fielding calls from angry donors, students, and parents whose personal
information has been compromised, and defending multiple civil suits—all
because the institution failed to assess its cyber liability.  (See
additional information on assessing cyber liability).

For major research institutions holding valuable IP, health records, and
grants for sensitive research, having a cybersecurity prevention and
remediation plan is more than just a good idea, it’s an absolute must.  And
these cybersecurity measures must extend beyond mere “compliance.”  The
Federal Government will continue to create cybersecurity regulations, but
their regulations never will keep up with the risks.  A university’s
administration answers to the Federal Government, to its Board, to its
donors, to the media, to its students and faculty, and to the general
public. None of these constituencies will be calmed by minimal compliance
with outdated regulations.

Instead, universities can address their cybersecurity risks with some
initial measures to prevent intrusions and to minimize the damage if a
hacker does get through:

Protections against Insider Threats: Attacks by insiders accounted for more
than 50% of the cyberattacks in 2014. To help mitigate these threats,
create an insider threat team and build a holistic approach to
security—include staff from IT and technology, legal, physical security,
and human resources. Emphasize training of employees, faculty, and
administrators in basic cybersecurity awareness to instill habits that will
better protect the institution.

Enhance Network Security Policies and Procedures: Implement security
precautions to make a hack more difficult. For example: create enhanced
protocols to prevent unauthorized access to devices and systems, including
multi-factor authentication; provide broad and frequent updates to
computers on-campus and for computers that regularly access campus
networks; and prevent access to compromised sites by incorporating controls
into your network.

Cyber Intrusion Testing: Work with a vendor to test the institution’s
current cybersecurity vulnerabilities and get advice on how to reduce those
vulnerabilities.

Corrective Action Plan: —one that includes disclosure and mitigation
efforts. Importantly, if an institution holds government contracts or
grants, follow the required disclosure protocols for cyber intrusion (note
that agencies may differ in their disclosure and mitigation requirements).

Cyber Insurance: —particularly those with academic medical centers and/or
sensitive research programs—should ensure their policies are large enough
to cover a worst-case scenario.While a comprehensive cybersecurity plan
will require additional systematic and long-term efforts, taking these
steps will at least keep an institution off of a hacker’s list of
“low-hanging fruit.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!