As the number of cyber-attacks targeting higher education rapidly escalates and high-profile incidents increasingly clutter our newsfeeds, colleges and universities worldwide are scrambling to strengthen their security incident response planning.
While many institutions are implementing new tech controls such as MFA to keep attackers out of their systems and documenting incident response plans, the most progressive leaders know those plans are wasted and can become quickly outdated if not regularly practiced through tabletop exercises.
We recently spoke with the University of Auckland’s Chief Information Security Officer (CISO) James Harper about their incident response planning and gathered three lessons all higher education institutions should heed when designing and performing their own tabletop exercises.
0%of educational institutions were hit by ransomware in 2020
Lesson 1: Involve the full scope of key decision makers
Tabletop exercises are team-based simulation activities designed to give leaders the opportunity to practice staff and resource mobilization in response to a short-term incident or emergency.
Tabletops should be comprised of a cross-functional and multidisciplinary group of relevant stakeholders and decision makers ranging from the IT/security team, the president’s cabinet, to divisional leadership teams.
The University of Auckland conducted its security incident response exercises with a host of senior leadership members spanning campus. Auckland strategically curated the group of participants who would need to work together to confront difficult decisions in the event of a real security event. This participation enabled Auckland to clarify incident response roles and responsibilities as well as review and improve existing response policies and procedures.
If only IT/security team members participate in the exercise, then IT leaders should communicate any takeaways or vulnerabilities identified from exercises to the most senior leaders to prepare them for the sensitive decisions they would have to make in the case of a security incident.
For instance, Auckland’s CISO made sure to debrief the Vice Chancellor on their tabletop exercise results recognizing that the Vice Chancellor, who did not participate in the exercise, would ultimately be the final decisionmaker and responsible for any incident. This ensured that Auckland’s most senior leader still benefitted from the key learnings of the exercise and would be prepared to make informed decisions in response to a security incident.
Lesson 2: Make tabletop exercises as real as possible to prevent any questions about applicability
The effectiveness of simulation exercises suffers when participants downplay the importance and fail to grasp the opportunity for continuous improvement. Set ground rules and clarify roles and responsibilities to emphasize the need for active and realistic participation in the event, such as “participants should try to behave as if incidents are actually happening, even though it may feel odd.”
The University of Auckland preempted any apathy towards its security incident tabletop exercises by developing and modeling them on a data breach that occurred at a nearby local hospital where over 700 servers were encrypted, affecting all hospital services. By testing their preparedness against a real-life incident, Auckland ensured its exercises hit close to home and resonated with participants. As a result, the exercises resulted in a more fruitful evaluation of its response capabilities and vulnerabilities.
Lesson 3: Practice worst-case scenarios and hard decisions to force clear articulation of priorities
The University of Auckland did not design its tabletop exercises to be a walk in the park. On the contrary, the institution practiced responding to a complete institution-wide system shutdown, from educational systems to HVAC to building access controls. This scenario pushed the Auckland team to creatively brainstorm the whole spectrum of issues a shutdown could create, ranging from whether students would have heating in dorms, if access control would allow campus members to enter and leave buildings, and if fire alarms would still function in case of a fire. In turn, simulating the worst-case scenario forced the team to prioritize which systems to address and recover first.
Auckland rightly concluded that recovering systems supporting campus members’ health and safety was of utmost priority. Establishing reliable and frequent internal and external communications for the campus community was a close secondary priority, understanding that limited information plagues the quality of response in the early hours of an incident and the importance of providing the campus community frequent updates in the event of an incident.
Similarly, Auckland administrators also discussed various scenarios and prompts to help them clarify under which conditions they would consider paying ransom in the case of a ransomware attack. While such decisions are not final, exercising your institution’s decision-making apparatus will help you address a real ransomware attack with more confidence and fluidity.
More on information technology
How to troubleshoot higher ed IT concerns
Learn how to identify best practices and insights to navigate post-COVID needs.