Curtis Carver is Vice President for Information Technology and Chief Information Officer at the University of Alabama at Birmingham, and a member of T&LU’s advisory board. He has spent decades in educational IT, including stops at the University System of Georgia and West Point.
In the first of this two-part series, he looks at what school leaders need to focus on and what the major challenges are when it comes to cybersecurity.
Overall, there are lots of things going on in cybersecurity today, which can be characterized in three themes.
1. Depth of defense still works.
You have to look at all possible angles of attack, and then prepare from there accordingly so that you have an end-to-end defensive strategy for your district. The fact that you’ve prepared for ransomware but haven’t prepared for a denial of service attack or a phishing attack means you’re wide open. You’ve got to have a blend of technology, policy and education training and awareness approaches to address the growing cyber threats.
2. All threats are not equal.
The current threat du jour is phishing, and most IT departments have been ineffective in addressing it. You really need a strong educational approach so that staff are able to determine what is a “normal” and what is an “abnormal” email address, and what to do when something abnormal happens. Be practical with how you handle that, especially with folks who are repeatedly clicking on phishing messages.
For example, we do active phishing training and we have about a 12% click rate, but if you have someone who has clicked on every message of a 12-message campaign, you have a problem. They are not understanding the threat, and then the question becomes whether they’re a viable employee going forward.
Coupled with that is how you do password management. We’ve spent a long time saying you need to have a unique password for every account, and it’s wonderful to put that in policy, but that’s a CYA effort. What is really helpful is providing software that helps users generate unique passwords, and they keep track of that.
Moving beyond policy and helping staff to do the right thing is critical.
3. Focus on practical security.
Do security that actually makes a difference. More is not always necessarily better. Do the math and determine what risks you’re actually trying to ameliorate and figure out how to do that.
My favorite example for this is passwords. Lots of folks say, ‘Hey, we’re going to change passwords every 90 days, and it’s got to be an eight-character password, and we’ll remember the last ten.’ Well, on a 2015 laptop, I can break an eight-character password in two hours. So the fact that you change it every 90 days is meaningless. All you’re doing is driving your users crazy.
At our institution, we have 15-character passwords and couple it with two-factor authentication, and we say your password is good for life. And the reason why? Because we’re good at math. If you took a million PCs, it would take 43,000 years to break a 15-character password, and when you couple it with two factor authentication, there’s just no reason to change it every year because the auditors or compliance staff is not good at math.
What are some current challenges in cybersecurity implementation?
1. Doing risk calculation.
What do I prioritize first? With all the threats out there, it can be very daunting.
2. Finding a proper balance.
We’re in a heavy threat environment, and that environment is smart, and it will continue to mature and grow increasingly sophisticated. As that’s occurring, you have to have countermeasures in place.
For example, we had a distributed denial of service (DDoS) attack last year; we successfully defended against it. The attacker then morphed their approach, and because they could tell we were being successful against it, they morphed again, requiring that we counter again. From a user perspective, no one knew this kind of fight was taking place because we were able to shield them, but for us, it was a two-month battle with a combination of technology and policy.
On the positive side, we were able to stop it; if this attack had happened in 2015, we would’ve been down for two months. But because of our investments, no one even noticed we were under this significant attack.
So preparing and conveying to senior management the need to prepare. You have to be on the front edge of the curve or you’re just crushed.
Part 2 of this series focuses on practical advice for K-12 school districts.