3 Ways Schools Can Build Resilience Against Future Cyber Threats

There appear to be endless opportunities for cutting-edge technologies, like generative artificial intelligence (AI) and virtual/augmented reality (VR/AR), to facilitate teaching and support learning inside and outside the classroom. However, as these and other transformative tools rapidly make their way onto campuses, a fresh set of advanced, dynamic, and multilayered cyber threats accompanies them. Futuristic technologies typically have four common traits that contribute to a heightened cybersecurity risk for schools:

1. They are usually fueled by collecting, analyzing, and storing large amounts of sensitive and personally identifiable information, raising serious concerns about breaches, privacy, and data altering.
2. They often track and gather user movement data, which bad actors can exploit to identify people, impersonate them, or manipulate them with deepfakes and social engineering.
3. They generally have complex algorithms that are difficult to understand and audit, making it challenging for information technology (IT) teams to identify and address potential security flaws.
4. They are frequently sourced from third-party vendors with their own security weaknesses, which can put an institution's assets, from proprietary research and course materials to protected health records and disciplinary files, at risk of exposure.

Foundational loss-prevention controls, such as multifactor authentication, regular data backups, and perimeter-based network security models, have been a critical wall of defense against cyberattacks, but they are no longer sufficient. It will take more sophisticated, broader, and more collaborative defensive measures to protect your school's network, devices, and data in this new age of technology. Following are three cybersecurity strategies that might help educational institutions build up the cyber resilience necessary to anticipate and adapt to the technology and cyber-threat landscape of the future:

1. Implement a zero-trust approach.

On any given day, thousands of on-site, remote, and third-party individuals are likely trying to connect with your school's network via their phones, laptops, computers, VR headsets, gaming systems, AI glasses, and more. This is a far more complex and diverse set of potential network users and devices than in the past, and they are highly susceptible to being compromised and used by bad actors to attack sensitive information. As a result, the traditional cybersecurity strategy of trusting users and permitting system access based on their physical or network location or whether their device is property of the school or personally owned is no longer a preferred practice for educational institutions.

Instead, schools that aren't already shifting to a zero-trust cybersecurity approach should consider doing so soon. This strategy assumes that all devices and individuals trying to connect to your school's network are, as the name suggests, untrustworthy. Every user, whether inside the campus community or external to it, faces the same level of scrutiny and must repeatedly prove they are not a threat via multiple verification activities at each point of entry every time they try to access it. This approach is highly effective at repelling bad actors because every asset, application, and network segment has its own authentication process. In addition, if a breach does occur, the zero-trust architecture enables faster detection and response time, which usually means the incident can be contained to the single, small network area where it happened, greatly reducing the risk of a catastrophic, system-wide event.

2. Develop a positive cybersecurity culture.

The responsibility for your school's cybersecurity should not fall solely on the shoulders of the IT team. Instead, educational institutions that adopt a team mentality toward managing cyber risk will be best positioned to address their vulnerabilities and safeguard their organizations against the future cyber-threat landscape.

The first key component for building a positive cybersecurity culture is to conduct regular awareness and training that engages all stakeholders. These activities should consider the varying levels of cyber knowledge and expertise of your faculty, staff, students, and other community members. Following are some innovative (and fun) cybersecurity training ideas schools may want to try:

• Use gamified learning platforms to create virtual escape rooms or simulate real-world cyberattacks.
• Develop interactive stories in which participants make their own decisions at key points during a cyber threat and experience the outcome of these actions.
• Simulate a phishing attack using AR/VR training modules, allowing users to practice identifying and responding to threats in a realistic setting.
• Organize hackathons during which students and staff work together to solve cybersecurity challenges.
• Host capture-the-flag events where participants compete to solve cybersecurity puzzles and capture digital "flags."

Some of the other crucial components of a positive cybersecurity culture include developing clear and actionable cybersecurity policies and procedures; frequently reviewing and updating security protocols to ensure they keep up with technology and related regulations as they evolve; and collaborating and communicating across colleges, departments, and faculty to reinforce consistent security practices.

3. Establish a third-party cyber risk management process.

As your school invests in strengthening its cybersecurity posture, it is critical to hold third-party vendors and suppliers accountable for doing the same. Otherwise, an unknown vulnerability in a third party's IT infrastructure or its policies and procedures could compromise your school's network, devices, and sensitive data. In addition, a vendor's security gaps could create legal, compliance, and regulatory issues for your institution.

When vetting and negotiating with a new third-party partner, especially one that may end up supporting your IT infrastructure or supplying AI/VR tools and software, your vendor risk management process must include identifying, assessing, and mitigating the cybersecurity risks this provider might introduce to your school's digital ecosystem. Following are some third-party cyber risk management preferred practices schools can use when onboarding a new vendor and assessing current partners:

• Thoroughly check the vendor's security practices. For example, review its security controls, policies, and past incident reports.
• Confirm a vendor's compliance with relevant regulations, standards, and education industry¬–specific guidelines via its certifications and audit details.
• Develop a crisis response plan with each vendor that clearly outlines the action steps to be taken and the responsible parties in the event of a cyber incident.
• Write security requirements into contracts with vendors. For example, there is a need for regular security updates, the right to audit, and specific language for how quickly the vendor needs to report security issues and how they should be handled.
• Schedule ongoing cyber risk assessments to ensure the vendor follows through on its security commitments and document all reviews.

While we may not be able to predict every emerging technology on the horizon—or even what might be available tomorrow—we feel confident that AI, VR, and similar revolutionary technologies will continue to have a growing impact on how educators teach and students learn. However, they can also significantly increase your organization's cyber-threat landscape. By taking steps to achieve cyber resilience today, schools may be able to future-proof their organization against whatever tech tools and cyber risks come their way. If you would like additional guidance, resources, and insights on proactively managing your institution's cyber risks and other current and emerging threats, please contact us.