Transforming Higher Ed: Cybersecurity Imperatives for the Future
Higher education is one of the biggest targets for cyberattacks, and institutions must be prepared. By keeping cybersecurity top of mind, higher ed can protect its data in this rapidly evolving digital world. In this interview, Tom Dugas discusses the evolution of cybersecurity in higher ed, the more prominent role it plays now and what security considerations moving forward.
The EvoLLLution (Evo): As you reflect on the past year, what notable achievements or successes can you identify for either higher education or your institution?
Tom Dugas (TD): Universities have been faced with new regulations, particularly around the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission’s (FTC) Safeguards Rule. That was a big change for institutions’ cybersecurity organizations.
Organizations including Duquesne University had to meet the GLBA compliance this year. Although it wasn’t as prescriptive as we anticipated, it was a good first step in getting cybersecurity organizations and higher education to a solid maturity level.
Evo: How have you seen cybersecurity evolve in higher ed over the past few years?
TD: People care more about cybersecurity at their organizations. EDUCAUSE just released their 2024 Top 10. Cybersecurity as a core competency was number one. As EDUCAUSE noted in the report, worsening cyberthreats, more abundant and distributed data, changing regulations and the advent of AI are all good reasons to pay more attention to cybersecurity in 2024.
It’s no secret that higher education is one of the largest targets for attacks and people are looking at us differently now. What’s challenging is that many organizations don’t have the resources, funding or staffing to satisfy all cybersecurity needs. So, now we’re looking at new opportunities for outsourcing, shared services, collaboration and consortiums to pull the higher ed community together. It does take a village to protect our community these days.
There’s a lot of tension in our community because resources are constrained at many institutions. People are trying to find ways to maintain costs while tackling one of the most difficult topics in higher education today.
Evo: What are some key considerations higher ed leaders must prioritize going into the next year, especially when in this rapidly evolving landscape?
TD: There are two things we need to focus on: 1) protecting the identities of individuals on campus and 2) managing access to our computing environments. We can protect identities through multifactor authentication, privilege access management and other technologies that can restrict or prohibit those without credentials from entering your environment. As for managing access to our computing environments, higher ed is used to being an open community, but we must operate like a business to ensure our baseline systems have the required security controls, access restrictions and protections.
Evo: What are some other challenges institutions face today?
TD: We’re keeping a close eye on AI and how it will affect our community and environment both positively and negatively. On the negative side, there are examples where AI may have been used in attacks. So, attacks are being thought of differently now that AI can potentially be used to create, propagate and expand attacks quickly. So, we have to keep our eyes open. On the positive side, AI can be used to detect those anomalies in our network and react proactively. We can look ahead and try to forecast scenarios to better prepare ourselves to use AI.
Evo: What’s required of higher ed leaders to overcome some of these obstacles?
TD: We must be thoughtful to ensure we’re making investments to protect our environments. Cybersecurity should be as fundamental as buying and running an ERP to manage our business. As we’ve become more automated, we haven’t maintained the same pace of investment in securing the technologies we have built and are building. Cybersecurity is everyone’s responsibility, and it must be inherent in everyone’s role at the institution.
It’s important to be strategic in spending money. If we don’t, we’ll fall behind. And the reality is we’re already a big target.
Evo: What’s some advice you’d share with higher ed leaders heading into the new year to get buy-in and create more collaboration?
TD: When we talk to executives, faculty, staff, students and parents, we have to highlight the risks and impact of cybersecurity. We must emphasize that cybersecurity risks are serious but need to quantify them in a way that helps them understand the cost to the individual or the institution.
The federal government regulations seem to be catching up to organizations’ needs. We’re taking the initiative to abide by certain common practices that organizations should follow ahead of further regulation. It’s great to see the government talking about these things because we need to invest more and do more with cybersecurity protections. Having best practices, guidelines and requirements will help force our hand to do what we need to do.
Evo: Is there anything you’d like to add about cybersecurity and the future of higher ed?
TD: It’s important for higher ed to focus our attention on protecting our institutions from cybersecurity risks. At the same time, we’re educating the next generation of cybersecurity staff and personnel. For Duquesne, we are also seeing that cybersecurity degree graduates are having difficulty finding opportunities in the workplace. Most cybersecurity jobs want you to have five or more years’ experience, but graduates don’t have that background yet. What they do have is a lot of practical academic experience and an eagerness to learn on the job.
We need to change that culture to one where we recognize people graduating with cybersecurity degrees are capable of jumping in and making a difference. We just need to give them the opportunity to do so.