Educause Report Tackles Cybersecurity and Privacy in Higher Ed

• By Dian Schaffhauser
• 03/09/21

Security and privacy threats are at an all-time high on campus, according to a new report from Educause, brought about by a combination of factors: remote work and learning, the proliferation of videoconferencing and the complexities related to the pandemic. Acknowledging that security and privacy have topped its annual list of IT issues for several years running, the association for IT leaders and professionals in higher education recently issued its first Horizon Report on the subject.

A panel of some 50 experts were asked to describe the key technologies and practices they expected to have a "significant impact" on the future of cybersecurity for colleges and universities, and a winnowing down process eventually settled on six:

• Cloud vendor management;
• Endpoint detection and response;
• Multifactor authentication and single sign-on;
• Preservation of data authenticity and integrity;
• Security of research; and
• Student data privacy and governance.

Then they were asked to examine those impacts from several dimensions:

• Equity, diversity and inclusion;
• Positive impact on overall institutional security;
• Risks;
• End-user receptivity; and
• Cost.

While all of the technologies and practices were expected to influence overall institutional security, student privacy and governance was rated the highest specifically for addressing equity and inclusion. The costliest efforts would be research security and endpoint security. And the panel suggested that all six technologies and practices would gain average amount of receptivity among end users.

As Educause did with its annual ed tech trends forecast, the new Horizon report offered several scenarios for what the future — up to 10 years — could look like, from utter collapse to absolute institutional transformation.

In the collapse scenario, "security fatigue" has hit education, gutting the cybersecurity budget, eliminating the internal cybersecurity function and turning student data into a "commodity" to profit from rather than protect. Institutions have turned to "big tech giants" for security.

A step up from there — barely — is the "constraint" scenario. Here, too, IT budgets have been decimated as mergers and acquisitions have shrunk competition and allowed operating costs "to soar." Federal regulations on data privacy have left college security professionals "riddled with personal liability and under constant surveillance."

Then there's the "growth" scenario, wherein cybersecurity professionals have become an embedded element of higher education and staffing has grown "tenfold." The end users have seen the light and become "proactive partners" in protecting networks and devices. And the entire institution embraces a standardized approach to cybersecurity.

Finally, there's transformation, in which remote work and learning have become a norm, and the education segment has teamed up with national security agencies to recruit and train a workforce that can jointly and proactively "target cybercriminals and dismantle weaponized social media, disinformation campaigns and propaganda factories."

In the area of technology specifically, the report identified three trends that will influence which scenario or outcome schools will experience.

First, there's the idea of the "borderless" network or network without boundary, in which services and data are increasingly being maintained on the cloud rather than in the campus data center. Network endpoints, such as computers and smartphones, are no longer being used solely on campus but anywhere. Schools that can't protect endpoints and networks with experience weakened incident response and longer incident response times.

Second, there's the force behind security incidents becoming "routine" and part of the college's "normal" operations. In response, the report noted, a growing number of schools are setting up security incident management departments solely focused on addressing problems as they arrive.

Third, the growth in the use of personal devices for business has increased the number of security risks and challenges institutions are facing. As a result, they're reconsidering the boundaries of what they can "monitor and control" in terms of device policies and data usage.

Educause has included a number of essays from security experts involved in higher ed along with examples from numerous colleges and universities to share how they're staying on top of their unique security challenges.

The purpose of the report is to help higher ed understand what's coming and take action before it's too late. "Forecasts help us prepare for what lies ahead," explained Brian Kelly, director of the Cybersecurity Program at Educause, in a statement. "The Information Security Horizon Report presents trends, scenarios and implications of potential futures that will help us plan and prepare."

"2021 Educause Horizon Report Information Security Edition" is openly available on the Educause website along with a link to a webinar discussing the contents.