As the technology landscape continually evolves, higher education stretches to keep up, deploying new systems quickly — in many cases too quickly. Often, those new systems don’t undergo full vetting. And that can lead to gaps in security, justifiably raising concerns for CIOs.
As the CTO and co-founder of Propeller, I have the unique opportunity to connect with CIOs and tech professionals across higher education, getting an inside look at the things that keep them up at night.
Cybersecurity lands at the top of the list.
In this post, I’m laying out the top 5 cybersecurity concerns our clients are talking about. To give you an insider’s view of what CIOs at other colleges and universities prioritize.
What are the challenges of cybersecurity for universities?
As a CIO, you’re facing the challenges of ever-changing technology, budgetary constraints, and making sure that your solutions are user-friendly.
It’s not enough for something to hit all the marks in security, it also needs to be easy for your students and teachers to use. You don’t want them throwing their hands up in frustration.
In my work with many CIOs across higher ed, here are the top 5 cybersecurity priorities they talk about most often:
- Network security
- Browser-based apps
- Secure user credentials and 2FA
- Accessibility without sacrificing security
- Data security
Network security and infrastructure
Network security is at the top of the list of higher ed’s tech concerns. It’s the infrastructure that protects a school’s devices, users, and applications from unauthorized access, misuse, or theft.
Schools need to keep bad actors off their networks to protect student data and the institution’s own hardware.
As more schools encourage students to use their own laptops and tablets with bring-your-own-device (BYOD) policies, network security concerns will continue to mount.
Another concern I hear about regularly is the risk of SQL injections, cross-site request forgery (CSRF), and cross-site scripting (XSS) attacks through browser-based applications.
Browser-based apps are convenient, as students don’t have to download software or access the app from a specific device. If they can open a browser with an internet connection, they can use the app.
The risk with SQL injections is that a bad actor can hack into the app and inject malicious code to exploit things on the internal systems. During an XSS attack, a hacker injects malicious code into a website, which then sends user’s data back to the hacker whenever someone visits the site.
With CSRF, a bad actor can impersonate a user by injecting hidden code into a website.
CIOs are concerned with how vulnerable some browser-based apps might be to malicious attacks. Looking for ways to keep hackers and bad code out are ongoing priorities.
Securing user credentials
Single sign-on makes life a lot easier for students. They have one username and password that gives them access to everything. But with that increased accessibility comes increased risk.
Authentication remains a high priority. Schools need a way to ensure that the student, faculty member, or employee logging into the system is authorized to access the account.
At this stage, the best way to secure user credentials is with two-factor authentication (2FA). Students enter their username and password, then prove their identity through an app or by receiving a code.
There are other authentication options in the pipeline, but for now, 2FA is the most used among colleges.
Ease of access for students and faculty
Many technology departments struggle with the balance between securing credentials and allowing ease of access.
If students and staff find the process of logging in to check a tuition balance, submit an assignment, or read an email too complicated, the school risks alienating their community.
That’s a big problem for schools –– if their systems are too inaccessible, students can choose to go somewhere else.
Data security in higher education
Last, but not least, is data security. Schools collect a lot of sensitive information from students, including social security numbers, grades, financial aid status, financial account information, health information, and more.
Many schools work with third-party vendors, who sell solutions or systems or provide services that require access to or store student personal identifying information (PII).
And the question is, who has access to that data? Who owns it?
Schools are giving up some of the control over their students’ PII when they don’t own the servers or systems that house the data.
Fortunately, many institutions follow diligent protocols in their vendor research. They use questionnaires to vet vendors and thoroughly review research to make informed decisions about security and service.
Staying up to date with cybersecurity challenges
What’s a CIO got to do to get a good night’s sleep?
From what I’ve seen, vigilance and vetting pay off. You may feel rushed to introduce the newest apps or systems to your students. And you wouldn’t be alone –– that’s a common concern our clients often voice.
The best way forward is by staying up to date with the latest information, reading the fine print, checking regulatory compliance, and vetting any vendor or service you’re contemplating.