The University of Wisconsin Board of Regents looked at expansions to cybersecurity insurance, new database projects and third-party data management procedures during meetings Thursday.
The Board of Regents said cybersecurity is a constant risk for higher education institutions, which host a trove of sensitive and valuable data — student information, employee information, research data and more that make for a lucrative target for hackers. Along with increased risk have come widespread federal and state investments in cybersecurity funding and resources.
In recent months, critics raised data security concerns toward two publicized data security incidents in the UW System: a third-party National Security Clearinghouse breach in which UW System records and personal information were compromised and a security flaw at UW-Madison which left graduate program letters of recommendation publicly available on search engines.
Here’s what the Board of Regents said about cybersecurity and data privacy Thursday.
Higher education cybersecurity risks are widespread across all institutions
The Board of Regents said there are inherent increased risks for universities in the cybersecurity sector.
“This is a very different world” than some years prior, Regent Kyle Weatherly told attendees while discussing cybersecurity insurance costs.
That led to new programs and initiatives across the UW System cybersecurity suite. A fall 2023 pilot partnership with the University of Indiana’s OmniSOC, a shared 24/7 security operation center across multiple state universities, is meant to provide “extended monitoring” for a reduced cost compared to in-house services, according to UW System Chief Information Security Officer Edward Murphy.
The same holds for replacements in “advanced” authentication policy for students and employees, Murphy said, and the rollout of new multi-factor authentication procedures across the UW System.
‘Tighter controls,’ need for expanded incident response
Murphy said the UW System wants to prioritize speed and accessibility in incident response alongside vendor assessment protocols for campus partners.
“When attacks happen after hours — Friday six o’clock seems to be a popular time for them to happen — the less the impact will be if we can know about it and respond,” Murphy said.
Steven Hopper, UW System associate vice president for learning and information technology services, said the system is looking to standardize risk assessment for third-parties across its universities rather than having duplicated risk assessments across multiple campuses.
Part of lessening impact will also depend on more stringent controls for “privileged accounts” — staff members like IT employees who can broadly affect and change technical environments through account permissions.
“We want to see what we can do to harden those,” Murphy said.
Awareness and training programs assist employees in best cybersecurity practices
The UW System rolled out phishing awareness campaigns to all system employees, Murphy said. Phishing, a practice in which hackers impersonate reputable actors or institutions to gain data access, is a consistent concern across the data security sector, UW-Madison School of Information professor Dorothea Salo told The Daily Cardinal.
“I understand why [the] system insists on doing fake phishing training. I'm just not convinced that's the greatest approach to the problem,” Salo said.
Murphy said the UW System plans to expand cybersecurity education material distribution through newsletters, websites and email communications.
Third party data partnerships to grow with new projects on the horizon
The UW System plans to continue growing data analytics partnerships in the future, despite concerns from data security professionals and some students. A large project remains in the works — a $212 million systemwide Administrative Transformation Program (ATP) dedicated to “standardizing finance, human resources and research administration” processes. ATP includes “data analytics and data storage,” according to a March 2023 UW-Madison Academic Staff Executive Committee meeting.
There are two key steps in ATP, the first being a shift to Workday, an enterprise resource planning system with employee and administrator-facing applications.
The ATP rollout has been marked by delays. Although Workday was planned to launch in July 2024, the current planned date is July 2025, according to a UW-Madison website. Funding reserves from UW-Madison will partially fund ATP, according to meeting materials from an October 2023 Regents meeting.
Staff members from across the UW System tested Workday software from Jan. 16-18 during a hands-on event in Madison.
Liam Beran is the Campus News Editor for The Daily Cardinal and a third-year English major. Throughout his time at the Cardinal, he's written articles for campus, state and in-depth news. Follow him on Twitter at @liampberan.