Making it Work: Higher Education and MFA
Higher Education is facing many challenges: pressure to reduce costs for students; increased regulatory oversight from federal agencies; faculty and staff attrition; hybrid working and teaching; and changing demographics of students, to name but a few.
In this mix, we now have an increasing level of cybersecurity attacks, which not only put personal data at risk, but also threaten to stop the operations of an institution altogether.
At the same time, the Federal Government, the traditional source of most Higher Education funding, has been undergoing its own cultural change. The Executive Order 14028 instructs federal agencies to modernize technology, adopt a zero trust security philosophy, and improve public/private partnerships. The effects of this will trickle down to every higher education institution in the United States.
The state of the industry
To address the industry challenges mentioned above, schools of all sizes must quickly implement security controls to address their greatest threats and do this as efficiently as possible.
According to the 2022 Verizon Data Breach Investigations Report (DBIR), the top attack types for the Education Services Sector are largely unchanged over the last 5 years. Furthermore, the top combination of “use of stolen credentials” and “ransomware” is a problem getting the attention of boards and leadership.
How can a school with limited budgets and limited security expertise protect against these kinds of attacks? The solution is to look for measures that will help mitigate the majority of threats, while still supporting the activities of the institution.
Where to begin?
Using multi-factor authentication (MFA) to prevent or mitigate the impact of Education Services threats is a common control in all but two scenarios.
Ease of use
Implementing MFA for an entire faculty, staff and student population can seem overwhelming – there are so many different types of devices being used, skill levels of users, and tolerances for change. Consider these factors when implementing MFA. Look for an MFA solution that will work with the widest variety of technologies and skill levels. This isn’t just about integrating with your identity management solution, or your single sign on portal – it’s also about giving users the widest possible choice of authentication factors. Not everyone has a smart phone or will want to use a work application on their personal device – choice is important.
Ease of implementation
If your institution is limited in how many IT or security staff are available to implement an MFA solution, prioritize finding a solution that can be easily managed. Deploying and operating the MFA solution should be as simple as possible without compromising on basic security functionality. Consider investing in additional support services from your provider, at least for the first year. This will help your program be successful right from the start.
Particularly in Higher Education, a successful technology implementation requires an intentional communication strategy. Help your community understand that MFA isn’t a new thing (they already use it at the gas pumps, or online banking, etc.) and that use of MFA not only makes the institution safer, but it also protects them personally. Give them plenty of time to ask questions and raise concerns.
Institutions don’t have to roll out MFA to everyone at once. Consider your highest risk users (typically IT professionals, or staff/faculty with access to multiple records) and roll out to them first. Put MFA in front of your highest risk systems (student information systems, employee records, alumni databases). Consider where regulations require MFA and start there.
There is the cost to procure the solution, then there is the cost of maintaining it. Consider:
Government Grants - Particularly at the Federal level, there are several grants made available as part of recent legislations for infrastructure improvements and covid response. The 2021 Infrastructure Investment and Jobs Act is one example. State governments are also investing in cybersecurity initiatives, so check in with your state house.
Higher Education Cybersecurity Community - Work with Educause or Internet2 to engage with peers who are using similar solutions. Many institutions are beginning their zero trust journey by implementing MFA as a first step – there will be plenty of knowledge sharing, and some purchasing consortiums, in which to participate.
Cybersecurity Insurance Providers - To get cyber insurance, institutions will need to have MFA. This is a strong element for a business case, but it’s also an opportunity to partner with a vendor who can assist in selecting and deploying the solution. Having MFA may reduce your premiums, so consider this in your business case.
Where to go next
We all know that cybersecurity is never “done”. Instead, it’s an ongoing maturity program. MFA is a foundational security control, which will help mitigate many threats to our institutions. Once it’s in place, it can be used as a building block supporting a zero-trust philosophy across the institution. Having this in place will satisfy regulations, funding partners and privacy advocates.
This is not a journey to take alone. Use the community of resources and peers to help you on your way.
Want to learn more about how Duo Security helps customers on their MFA journey? Sign up for a free trial today!