Hide and seek in the digital playground

As higher education (HE) and further education (FE) institutions face an onslaught of next-gen cyberattacks, how can they ensure their access management and security policies are prepared for action? Manash Ray, lead for customer success at Manage Engine, recently shared his insights at the UCISA24 Leadership Conference.

Why are FE and HE institutions more prone to cyber breaches and attacks?

Educational institutions have a major challenge when it comes to ensuring good cybersecurity. Not only is funding squeezed across the board, but by their nature, these organisations have to secure a large and changing number of endpoints. This includes not only school-owned machines in a variety of settings, from libraries to labs, but also BYOD access from a huge range of devices, all with varying levels of built-in security. Term schedules also mean that IT teams face a steep rise in demand at certain times of the year—like enrolment—making it hard to provision resources and increasing the chance of a breach during peak times.

This is why access management for educational institutions is highly complex, and it can be difficult to balance security with user needs. Yet only half of FE and HE institutions have a strategy in place to counter cyberattacks and determine their response to a breach. While security challenges are often out of a school’s control, having a cybersecurity strategy is something they can and should change, with appropriate support from the industry.

What are the IT complexities and cybersecurity challenges of managing a large site?

Across large sites, many redundant tasks such as password resets are performed manually by help desk teams, which is laborious for staff and users and more prone to error than automated processes. Rather than draining precious expert hours into low-value tasks, organisations need to automate common access requests from students, staff, and contractors, and enable better role-based access request automation using business workflows.

Part of the reason this is so important is the variety and changeability of role types within FE and HE institutions. The process to update access rights when students or staff transition between roles or departments can be slow or poorly managed, leading to individuals accumulating access rights that are no longer necessary or appropriate for their new roles. This can lead to the increased risk of data breaches and unauthorized access to critical systems, plus compliance issues under data protection laws like the GDPR.

How can pursuing identity governance and administration (IGA) strategies help?

After 2010, cybersecurity regulations tightened, giving rise to the need for stronger governance in HE and FE. This, in turn, gave birth to the governance aspect of identity and access. As practices have been honed, the Zero Trust framework is increasingly commonplace, in which security systems act to grant or withhold access on a case-by-case basis at the network edge, taking into account credentials, behaviour, location, and the device to ensure only genuine access requests are granted, and withdrawing those that appear suspicious. These kinds of approaches improve the accuracy and efficacy of defences, reducing the likelihood of breaches through insider threats, phishing, or stolen logins.

UK-specific best practice guidelines like the Cyber Assessment Framework (CAF) can also be helpful, providing rigorous objectives and principles to help guide IT teams as they seek to automate processes and remediate threats. Many of these focus on the need to manage and view the security landscape centrally in order to control the whole environment as well as embedding a granular approach to access management.

How can education institutions go further and ensure greater cybersecurity protection?

First off, there’s the absolute basics, like ensuring good password practices. For example, blocking dictionary words from being used as passwords can help eliminate brute force attacks or any dictionary-based attacks, securing student and staff accounts from threat actors.

Password managers are also a simple but crucial tool in the fight against data breaches. Not only do they improve password hygiene and help reduce password reuse, many also have access to a universal repository of compromised passwords and patterns. That means they can see, in real time, whether any users are creating passwords that are already on the blocklist of hacked passwords or patterns.

Adaptive MFA can also add another layer of security without compromising user experience. Similar to the tenets of Zero Trust, an MFA system assesses each access request on its own merits, prompting a reauthentication if it believes there’s a chance the session is being used suspiciously.

What does good security hygiene look like for FE and HE institutions?

In a setting as dispersed as an FE or HE institution, with its high turnover of students and changing faculty, good password hygiene and staff training are the cornerstones of data security. Humans are always the weakest link in any cybersecurity system, so ensuring they cause as few mistakes as possible is key.

Additionally, it’s crucial for IT teams to implement efficient processes that are enhanced by the automation of routine tasks. There are plenty of complex problems requiring a technician’s expertise; the less of their time that is spent on low-value tasks, the better.

Manash Ray, Lead for Customer Success at ManageEngine