Emerging Technology (Enhancing, Engaging, Connecting)
Top Cybersecurity Risks 2015
- By David W. Dodd
- April 1st, 2015
In all likelihood, 2015 will set a new, unwelcome standard for cybersecurity threats and breaches. Although 2014 was a record year for breaches and simultaneously for diminished public trust, many analysts are describing it as a year in which hackers only enhanced their tradecraft. In 2014, cyberattacks became increasingly sophisticated and targeted, both very troubling trends. Taken as a whole, many analysts are suggesting that as bad as 2014 was, it will be revealed to have been a year of proof-of-concept attacks with far worse to come in 2015.
Higher education is a very challenging environment for security professionals, for numerous reasons. We are simultaneously confronted with the conflicting need to support information discovery and sharing while ensuring privacy and confidentiality. Universities are also among the least controlled environments technologically. Added to that, decentralization in many institutions presents a near impossible task concerning security and compliance.
Cybersecurity risks are numerous and growing. In fact, the “top ten” way of representing risks is no longer workable for security professionals, who must now monitor far more than ten active simultaneous threats in real-time. That said, there are seven significant risks that should be noted, and I convey them to institutional and IT leaders as threats particularly worth attention in 2015.
1. Employees. Human error, mistakes, lack of proper responsibility and even malicious intent make employees a very real threat. CIO magazine listed humans (disgruntled employees and careless or uninformed employees) as the top two threats for 2015. Note the term insider threat, and take all necessary safeguards.
2. Shadow IT organizations. These are usually small, unauthorized organizations that operate various IT services without awareness or authorization by the institution. They represent a serious and growing threat for many reasons, including security and compliance. Typically the only way to detect these groups is with extensive internal IT monitoring — which accounts for the fact that only about eight percent of IT shadow operations can be successfully tracked.
3. Mobile platforms and apps (Android, iOS). Smartphones and tablets have become prime targets. They are everywhere, have enormous capabilities (including financial transactions), and their OS’s are not particularly robust. Apple devices in general have become the subject of focused attacks. It was never that Macs were particularly safe; only that Windows has traditionally been a more target-rich environment. Today, Android and iOS are hacker favorites.
4. Locally stored information. Institutions are flush with data that should be kept private, secure, confidential — and centrally stored and protected. Yet higher education is notorious for having information — such as student and donor information — downloaded, transmitted and stored on unsecured laptops and flash drives.
5. Unsecured web servers and web applications. These are everywhere in higher education, and they are commonly used without adequate security provisioning, even for e-commerce, and contain privileged information, including in many cases personally identifiable information (PII), credit cards and social security numbers.
6. Cyberespionage and cybersabotage. This is a rapidly escalating threat, particularly for research universities. Increasingly, research is based on potential benefits rather than “pure” research. As a result, the potential benefits, if stolen or destroyed, are much greater. Nation-state attacks are increasingly common and powerful, and the potential of research data for financial and security gains is enormous.
7. Legacy systems and data, particularly open-source and community-source software. Old source code (OSC) is recognized as a potent threat because older systems were engineered with much less attention to the cyberthreats that are rampant today. Open-source or community-source systems are at even greater risk for a simple reason — the source code is readily available. Higher education is known for old systems and for community-source software. These will be increasingly targeted, consistent with the global trend.
These seven areas are particularly noteworthy for higher education. The first step is awareness of the threat. The second is addressing it effectively. Cyber liability insurance (CLI) is now considered the norm, and colleges and universities should consider that opportunity carefully. But CLI is primarily for post-breach response. The key is doing everything possible to avoid breaches, because the costs for not doing so are enormous.
This article originally appeared in the April 2015 issue of College Planning & Management.
David W. Dodd is vice president of Information Technology and CIO at the Stevens Institute of Technology in Hoboken, NJ. He can be reached at 201/216-5491 or firstname.lastname@example.org.