Colleges and universities service a diverse group of information technology customers. Those customers generally fall into three distinct groups composed of faculty, staff, and students. Because of the nature of the services these institutions provide, they are held accountable in meeting requirements associated with a variety of laws, regulations, and standards.
As a consequence, security and privacy, particularly as it relates to their custodial responsibility for the data they use and store, should be of paramount concern. Below is a brief list that helps identify an institution’s responsibilities:
Unlike most businesses, colleges and universities have little control over who can access their computer networks. The California community college system has an open enrollment policy. This means, for example, that someone recently convicted of committing a computer-related crime could not be denied admission.
With admission, the process of providing network account access is generally automatic. Access becomes of obvious importance in situations where classes are designed to utilize learning management systems and other applications.
Given limitations on who is allowed on the network, Identity and Access Management (IAM) controls are of utmost importance. Academic institutions are, more often than not, slow to adapt and adopt changes in technology. Principles like academic freedom and tenured faculty resistance to change are in play when it comes to relatively simple changes.
A great example relates to an institution’s decision to implement multifactor authentication (MFA) as a defensive effort designed to mitigate the potential of a ransomware attack. For a typical business to make this decision would be a relatively simple process. That isn’t true for colleges and universities—every decision must be made in a collaborative manner, requiring the involvement of representatives of management, staff, faculty, and the students.
During this calendar year I’ve taught at five different academic institutions. The process for user authentication is different at each of them. One college continues to only require single-factor authentication (username and password). Two utilize an SMS transmission of a six-digit number to a mobile phone. However, at one of the colleges, their users have the ability to disable two-factor authentication, a practice common for those viewing this additional activity as burdensome. The other two utilize an authenticator application installed on a mobile phone.
One college where I taught for 18 years was hit by a devastating ransomware attack last year. Based on information I have been told, this attack would likely not have occurred if quality MFA was in place. My understanding is two-factor authentication for access to some of its critical services and resources is now in place, but that isn’t true for email service unless the user sets it up, according to its website.
The importance of MFA implementation is heightened by another potentially devastating financial effect—that of legal action. For instance, Napa Valley College was hit with a ransomware attack last month. Of special interest in this case is that an article disclosing the attack is on a practicing attorney’s website.
It is reasonable, in my opinion, to conclude the placement was designed to serve as an advertisement for potential clients in a yet-to-be-filed class action lawsuit. Utilization of class action lawsuits is becoming a common reality in response to ransomware attacks, as evidenced by researching sites like Top Class Actions.