University data breaches and other cyber incidents cost the education sector millions of dollars—a heavy price to pay that includes, but is not limited to the initial damage caused by the attack, lost government funding, legal liabilities, penalties and lawsuits, reputational damage, and both short-term and long-term harm to universities’ research and development capabilities.
The US Department of Defense’s new cyber compliance requirements for universities that collaborate in the defense sector underscore the importance of high standards for cybersecurity in higher education facilities. Adhering to stringent cybersecurity and compliance standards helps university departments protect their ability to conduct research and promote innovation in their fields, especially when collaborating with government agencies such as the DoD or HHS. However, meeting high cybersecurity standards isn’t easy, and implementing best practices can feel like it stifles your faculty’s ability to research and innovate.
Cask’s team of cybersecurity experts has ample experience helping organizations in the education sector raise their standards for cybersecurity and avoid the severe consequences of university data breaches and other cyber threats. Read on to find out how you can achieve this delicate balancing act between preserving your ability to innovate and protecting your research capabilities with more strategic cybersecurity for universities and other higher education institutions:
How Higher Standards in Cybersecurity for Universities Get In Researchers’ Way
Talk to any researcher in any university’s science and engineering departments, from astrophysics to bioengineering, and you’ll probably find they have a bone to pick with at least one of the ways higher standards for higher education cybersecurity programs can interfere with their ability to do their jobs. Take, for example, the following four scenarios:
Scenario 1: Restrictions on Data Access and Sharing
Universities across the country are racing to be the first to make new discoveries and seize the opportunities they present. In the world of research, you snooze, you lose—and slow and steady does not always win the race. Researchers can find themselves under tremendous pressure to access the data they need and share data with research collaborators quickly, but adhering to their university’s cybersecurity best practices can throw up frustrating roadblocks.
For example, strict access controls and data classification policies can limit the ability of researchers to quickly access the datasets they need, slowing down research progress. Access control requirements like multi-factor authentication and data-sharing restrictions that keep sensitive data out of the wrong hands can add extra steps to the research workflow and make research collaboration between educational institutions—particularly international partners—especially cumbersome.
Scenario 2: Compliance and Administrative Burdens
People only go into research if they have a real passion for conducting that research, and the last thing they want to do is tedious administrative work to ensure or demonstrate compliance when they could be out in the field doing their life’s work. That’s why asking for researchers to comply with higher standards for cybersecurity in higher education facilities will get at least one griping about how they spend more time ensuring compliance with cybersecurity policies rather than focusing on their actual research.
Navigating multiple regulatory frameworks as mandated by their subject matter and research partners (such as NIST 800-171, ITAR, or HIPAA) can be complex and overwhelming—and lead to frustrating delays in research projects. On top of that, better cybersecurity for universities often requires increased investments of time and effort into cybersecurity training requirements for faculty, staff, and students—diverting time and resources from research activities.
Scenario 3: Slower Innovation Due to Security-Driven IT Constraints
Going thirty-five miles per hour on a street where the top speed limit is twenty-five might get you to work faster, but it’s illegal to speed in a school zone because it presents a danger to yourself and others. Similarly, researchers can find themselves hamstrung and slowed down by constraints on how they are allowed to use their university’s IT infrastructure, even if those constraints are utterly necessary to prevent university data breaches and other cyber incidents.
Firewalls and network segmentation designed to enhance security can limit researchers’ ability to access external resources, such as cloud-based tools, databases, and high-performance computing clusters, when it’s most convenient for their work. On top of that, security patches, system updates, and vulnerability scans can cause unexpected downtime for the research IT systems your departments depend on, disrupting their experiments and project timelines.
Researchers might also have a bone to pick with having restricted access to newer research tools and methodologies if their university’s cybersecurity policies haven’t fully accounted for the risks their use might pose to network security.
Scenario 4: Increased Costs and Budgetary Constraints
Research isn’t cheap. Neither is maintaining a strong enough cybersecurity posture to deal with the modern cyber threat landscape universities across the world are faced with. And universities, as any staff or student can tell you, aren’t always the most flush with cash.
Investments in improved cybersecurity for universities—such as modernizing IT systems, hiring dedicated cybersecurity personnel, implementing more advanced security tools, and hiring third-party support for cybersecurity risk assessment and cyber compliance audits can divert funding away from research programs, reducing available grants and operational budgets that could have gone toward research personnel, equipment, and software.
Managing the Delicate Balancing Act: Five Strategies to Get the Best of Both Worlds
“The higher education community is a critical partner in the defense sector—we need them to adopt and maintain cybersecurity best practices to protect the innovations they are developing for our warfighters.” – Elizabeth Guezzale, Cask Government Services
Higher standards for cybersecurity in higher education mean lower risks of data breaches and other cyber incidents imperiling your work, at the cost of having more speed bumps for your researchers to contend with in their work. On the other hand, prioritizing a more frictionless research experience that fosters faster and more streamlined innovations might get you ahead of the pack in your field, but with the increased risk of cyber attacks that can cost your university millions of dollars in damages and lost opportunities in the future.
You may not be able to have both, but taking a more strategic approach to cybersecurity for your university’s research facilities can ensure a strong security posture while keeping your researchers happy and productive.
Some of the strategies you can implement to achieve this balance and protect your research while giving your researchers room to grow include:
Strategy 1: Adopt Risk-Based Cybersecurity Frameworks
A lot of the griping from researchers about cybersecurity frameworks restricting access to much-needed data and resources is the result of blanket cybersecurity policies that treat everybody the same. By implementing risk-based cybersecurity frameworks such as the NIST Cybersecurity Framework instead, you can tailor your university’s cybersecurity measures based on the sensitivity of research data rather than applying overly restrictive blanket policies across the board.
For example, risk-based cybersecurity for universities offers the capability to prioritize security resources for high-risk projects while allowing more flexibility for low-risk research activities. This way, secure research stays secure—and researchers don’t feel unduly burdened by onerous and unnecessary security policies.
Strategy 2: Implement Secure but Agile Data Access Policies
Advances in cybersecurity technology are making it possible to maintain security while also offering a degree of flexibility. For example, agile data access policies such as role-based access controls (RBAC) ensure researchers can access only the data they need—but as long as the right person is accessing it, they can access it without unnecessary restrictions.
Your university’s cybersecurity practices can also include secure research enclaves or sandbox environments that allow researchers to work with sensitive data while maintaining strict cybersecurity controls. To make collaboration across multiple research institutions more frictionless while maintaining high cybersecurity standards, federated identity management solutions may also prove useful.
Strategy 3: Build Secure Cloud-Based Research Infrastructure
One particularly effective strategy for reducing the cost and resource burdens of cybersecurity in higher education institutions is to adopt secure cloud platforms such as AWS GovCloud or Google Cloud for Research, which comply with cybersecurity requirements while providing scalable computing power for research projects.
Used alongside end-to-end encryption for data storage and transmission and zero-trust security models to control access to sensitive research environments, these cloud solutions can help you allocate more resources for research.
Strategy 4: Design Cybersecurity Training Courses Tailored for Researchers
Develop research-specific cybersecurity training programs to help faculty and students understand cybersecurity requirements without overwhelming them with unnecessary technical details. To keep researchers from feeling bogged down by cybersecurity requirements, design fast-track security clearance pathways for researchers involved in classified or government-funded research.
Using automated security tools can also help minimize manual security tasks for researchers, freeing them up to spend more time doing what they’re here to do instead of doing tiresome administrative work.
Strategy 5: Establish Governance and Collaboration Between IT and Research Teams
Many of the grievances researchers may have with the cybersecurity policies they are asked to follow come from not having a seat at the table. By establishing cybersecurity advisory committees with representation from both cybersecurity teams and research faculty, you can more easily find sensible compromises that allow you to meet high standards for cybersecurity in higher education while accommodating research needs.
Find the Balance Between Research and Security with Cask
Better cybersecurity for universities doesn’t have to come at the cost of your research faculty’s ability to do their jobs and drive innovation in their fields. With the right strategies in place, you can ensure your university meets the higher standards for cybersecurity in higher education mandated by government agencies and the ever-evolving cyber threat landscape while providing researchers the flexibility to do their work without feeling unduly hindered.
With extensive experience providing cybersecurity support to organizations of all shapes and standards, Cask is ready to assist you in finding that balance. From program management to systems engineering to cybersecurity, our team of consultants provides the comprehensive strategic support you need to achieve your goals. Contact Us us today to get started.
