4 minute read
How to Identify and Respond to Cyberattacks
The cybersecurity crisis resulting from the Log4j vulnerability last December serves as a wake up call to many in development, IT operations, and security. The open source logging utility for Java-based applications includes a bug which can allow attackers to easily gain control over third-party systems. It is expected that the impact from this vulnerability will linger for months, or longer.
Since Log4j is embedded in many popular web services and systems, almost all institutions of higher education are impacted. Any servers running the Apache Log4j Java-based logging utility, or running applications that have Log4j embedded, may be vulnerable. Administrators of web-facing applications have had to scramble to investigate whether this risk exists on their campus, and upgrade if they are running a compromised version.
This exposure brings the issue of cybersecurity and the likelihood of a breach to the forefront. When you think about all the data a university collects and has access to—personal information, academic data, research data, residence and payment information and more—you realize just how enormous the risk is.
While you’ve likely implemented a number of threat prevention strategies, your campus may still suffer from a cyberattack as bad actors continue to evolve their techniques. And the impact of cybersecurity breaches increases every year. According to a 2021 Ponemon Institute study, university data breaches rank 10th in total cost. The average total cost of each data breach in higher education is $3.79 million. Not to mention the potential damage to the institution’s reputation. The study also found it takes an average of 287 days to identify and contain a data breach. And the longer it takes, the more costly the breach.
Higher ed institutions need to know how to identify common indicators, respond to data breaches, and recover from cyberattacks.
How to Identify an Incident
Knowing there has been an incident is often the hardest part. Teams should be diligent on monitoring and tuning their tools and processes in order to identify issues as early as possible. This includes actions such as:
- Ensuring your tools are operating effectively
- Monitoring for alerts and responding timely
But beyond the basic blocking and tackling tools like endpoint detection and response (EDR) and intrusion detection system (IDS), knowing what normal reporting looks like and finding things that are atypical is key. This can be accomplished by developing a baseline of normal behavior and comparing that to new behavior.
How to Respond if Your Institution is Breached
- Implement a cybersecurity incident response plan: If you don’t already have this, make sure you create a plan before you ever need it. Your response plan should be concise and include all contacts and resources needed in the event of a breach. Recommended information includes, but is not limited to:
- Response team: Parties responsible for technical tasks, coordinating immediate resolution, planning ongoing remediation, and managing communication needs
- Prioritize activities by team members
- Identify tools to assist with detection and immediate resolution
- Potential scenarios that include specific defense measures most effective against various types of attacks
- Staff training exercises to prepare response team
- Act quickly to address the issue
- Identify the threat and source
- Understand the extent and take measures to limit severity
- Perform a security scan for malware
- Isolate the infected site(s)
- Contain the breach
- Secure IT systems and complete remediations
- Communicate promptly and thoroughly
- Follow proper notification procedures (staff, clients, authorities and impacted third parties). Requirements may differ according to local security breach notification laws.
- Work with the university communications team to address public messaging
- Be transparent about the breach: include what happened, what that means, steps taken to address and steps taken to prevent future threats
- Follow your business continuity plan to address how the cyberattack may affect operations throughout your institution
- Keep detailed records
How to Recover from a Cyberattack or Data Breach
- Restore or rebuild lost data
- Assess procedures and technologies to prevent future attacks or breaches
- Make corrections and improvements as needed, and simplify systems where possible
- Update your cybersecurity incident response plan
- Inquire with your technology partners about what additional solutions are available
Staying safe from cybersecurity threats requires constant vigilance. Unfortunately one of the biggest risks is the human element to data security. Continual training for your staff on how to handle a data breach can significantly reduce the financial cost, as well as limit the damage to your institution’s image. Ensuring your staff have the right skills and tools to prevent and defend against attacks from the start will only strengthen your investment.
TouchNet is committed to providing solutions to higher education institutions that fortify cybersecurity and mitigate risks to their data. Our solutions include multi-factor authentication, secure connections, encryption, and compliance certifications that help protect personally identifiable information.