Cybercrime is a multi-billion dollar
global industry and it grows exponen-
tially each year. The FBI has identified
six different classes of cyber threats:
Hactivism, Crime, Insider, Espionage,
Terrorism and Warfare—all of which
have multiple attack vectors that make
up the cyber “threat landscape.” For
means defending against all potential
threats and addressing vulnerabilities
every day, on multiple fronts, to keep
data safe. It also means a heavy institu-
tional investment of time and money.
“As you have to get more sophisticated
to protect the college, it gets more and
more expensive, and that expense eats
into your IT budget. It’s not just about
defending against attacks; it’s the way it
erodes resources,” says Michael Northover,
chief information officer at Portland
Community College (PCC) in Oregon.
So how can colleges best protect
themselves? Northover has some advice.
MAKE A PUBLIC COMMITMENT THAT
CYBERSECURITY IS AN INSTITUTIONAL
STRATEGIC PRIORITY. Cybersecurity
should be looked at as the digital element
of public safety, Northover says, as people’s
livelihoods are often tied up in their identi-ties. A commitment to cybersecurity needs
to come from the top. As CIO, Northover
worked to help PCC’s president and board
understand the importance of digitally
protecting students, faculty and staff.
Getting that buy-in can be difficult—
especially when the worst hasn’t
“Cybersecurity is one day you’re
happy, and the next day you’re not.
You’re always investing for the worst
case scenario,” Northover says.
When cybersecurity is understood
and made an institutional priority, it
usually smooths the way for funding
discussions during budget planning.
UNDERSTAND WHAT REGULATIONS
GOVERN THE INSTITUTION. Does the
college take credit card payments? Does
it keep medical records? Does it receive
federal funds? Those actions all have
regulations tied to them which have
cybersecurity requirements about what
data needs to be protected. Those regulations also drive fines, penalties and
liability if a data breach does occur.
ENSURE THE COLLEGE HAS ADEQUATE
CYBERSECURITY INSURANCE COVERAGE.
Insurance against cybersecurity incidents
not only protects institutions in case the
worst happens, but most cyber insurers
also provide legal and technical resources
to help in the event of an incident.
BASED ON HOW THE COLLEGE IS
REGULATED, UNDERSTAND WHAT DATA
IS BEING KEPT AND WHAT NEEDS TO
BE PROTECTED. For example, “if you’ve
determined you’ve got medical records,
therefore you’re regulated by HIPAA
(Health Insurance Portability and
Accountability Act), what are the pieces
of data HIPAA says you have to protect?”
Northover says. This is a big task, as
data “can be all over the place,” he adds,
especially at large institutions.
BUILD A CYBERSECURITY ROADMAP. Once
the vulnerabilities of the institution and
the assets to be protected are identified,
an in-depth defense plan can be built.
Part of the plan should include staff
training about cyber awareness. “For
all the millions of dollars we spend on
technology, for all that investment and
skill and technological resources, one
of the biggest challenges is educating
people to not make simple mistakes
that let the bad guys in,” Northover says.
“It’s like many things in life: people
don’t take it seriously until it happens
PCC also is training tomorrow’s cyber
warriors on the Sylvania Campus at its new
National Center of Academic Excellence
in Cybersecurity Fundamentals, approved
by the National Security Agency and the
Department of Homeland Security.
“We’re proud to host this Center of
Excellence because it helps build the
pool of skilled workers needed to protect
the national information infrastructure.
Importantly, these are high-demand,
family-wage jobs, so the center also
supports our local and regional economy,” says Lisa Avery, campus president
of PCC Sylvania, and a member of the
American Association of Community
Colleges’ Board of Directors.
Guarding against cybercrime
By Tabitha Whissemore