This culture of openness is encouraged by the Higher Education Information Security Council (HEISC), a group established in 2000 to support communication and coordination for higher education. A volunteer organization, "HEISC accomplishes this work through volunteer groups supported by professional EDUCAUSE staff, as well as collaborations with other organizations that address information security and privacy in higher education," according to its charter.
Learning to share
Conferences are another way that colleges and universities work to share knowledge and best practices with each other. Dartmouth College and many other institutions sponsor one each year, bringing in speakers on a variety of security topics to help foster the kinds of relationships institutions need to defend against threats.
Engaging in these professional conversations about infrastructure and methods of authentication help higher ed CIOs and CISOs determine the best practices for their institutions. One on-going conversation around authentication continues to shape the direction that universities are taking with user login credentials.
Dartmouth College has been using both knowledge-based authentication (KBA) and two-factor authentication (2FA) for quite some time, but only a small subset of the total campus uses 2FA. "KBA is less intrusive on individuals, and it's appropriate to secure most information," Nyman says.
For access to more confidential information, though, users must utilize two-factor authentication. "We are building our infrastructure so that we can deploy two-factor more broadly if we feel we need to," says Nyman.
Colleges and universities "share threats about phishing, what the messages will look like, or where a lot of threats are coming from," said Quinn Shamblin, CISO at Boston University, when he presented at the CIO Summit Boston hosted by CDM Media in early June.
Informing cohorts about potential risks doesn't require revealing every detail of a breach.
"While the number of records stolen or specific information about sensitive issues or anything that might have litigation implications is not shared," Shamblin said, higher education security administrators will report such incident data as an increase in the volume of attacks emanating from a specific region.
Exchanging information allows these institutions to develop better security incident management response plans as they have a heightened knowledge of TTPs. As Shamblin pointed out, "the BU response triage includes analysis of incoming information that will direct responses."
Incident response plans are crucial for any organization because as soon as a breach happens, people want answers. Institutions need to know who contacts whom, when and how, because in the aftermath of any breach, the reputation of an organization is at stake.
"Higher ed is a more open environment, willing to share indicators of attacks with colleagues," Shamblin said. "But the effects are just as closely held by higher ed as any other organization." As much as there's a logistical response to a breach, there's also an emotional response from stakeholders.
Sign up for CIO Asia eNewsletters.