Special guest: Rivka Tadjer Cybercrime Prevention & Mitigation expert
In this episode of Innovations in Education, we do a deep dive into the ongoing battle against cyber threats. We explore the intersection of technology and human behavior, where the real battleground lies in preempting threats before they breach the network. Rivka underscores the importance of leveraging advanced technologies like machine learning and threat intelligence to stay one step ahead of adversaries. Yet, amidst the buzz of ai and cutting-edge defenses, she reminds us of the foundational importance of sound data management and collaborative efforts across departments.
Below is a machine-generated transcript of the conversation
It is a never ending battle and there are two important things happening right now and for this year in higher Ed and I’m actually working with two universities, which I can’t talk about, but they’re East Coast, around New York and here are the things. One, there’s have been some. Slash action suits against universities because there’s a lot of constituents. It’s like they’re their own countries. If you think about it, they have the trustees, OK, that have a fiduciary responsibility. The students, the parents, the faculty, there’s a lot going on there. And one of the things that’s happening now. Now in enterprises not just in higher Ed, but it has a specific impact is that the IT executives that are in charge of security are also potentially legally liable for breaches. OK, this is a brand new thing. Well, it’s newish. You know it’s been brewing for a couple of years. The class action suits against universities have not made it better. A lot of these folks in IT who create the access control and then monitor it had their contracts long before this happened. All of a sudden they’re reviewing, you know, insurance policies. Are you doing all this? Can we reinsure you? And if we do and there’s a breach, are we even paying your claim? And if all those things don’t happen, how liable is the CTO and the CTO at a university? So there’s a lot of stress. Tier and traditionally the CTO inside a university is not able to secure financing and conduct cooperative things with operations. People like the chief officer aiding officer and the head of legal and the CFO and now all of those things are coming. Together in a confluence. And I know this sounds like a joke, but to me the most important thing that the head of IT could do this year in the university instead of getting another security certificate is to take an accounting 101 class. Honestly, because the way things are being audited and the way things are going, they have to understand where the threats are coming from. How they mirror like in the banking industry. You know, there’s fraud inside your network and what everyone wants to do is detect the threat before it gets in. They have to do that and universities have other things. Look, my daughter graduated from college last year. She still has her Edu e-mail. OK, which she will use for any discount she can get. And now she’s an alum and they want to keep in touch with her until one day she is. Employed long enough to. Be able to donate again, right?
Kevin Hogan
Right when the loans are gone and. Now you give it back.
Rivka Tadjer Cybercrime Prevention & Mitigation expert
To the school. Right. And but they are not on the school network anymore. It’s constantly being mixed with personal e-mail. These are things. How can the IT person be held liable for this for behavior that they have no control over? So frankly, there is a challenging. Tasks that does not exist in other verticals and they need data and they need information and they need cooperation. From human resources, from the Dean of students, from the president, the Provost, the CFO and operations. Because this is operational risk, which is defined by human behavior. OK, go find college students and early graduates who, you know, cut and paste off codes.
Speaker
For.
Rivka Tadjer
What you know and how they’re using it, and how can somebody be responsible for everything without the authority or even the capability?
Kevin Hogan
And the High Flex models, right? I mean these the hybrid things that were established or even just kind of accelerated as a result of the pandemic that are still going to be there and students have an expectation. Or just make the networks that even more exposed, right?
Rivka Tadjer
Yes. And you know that kind of thing. I think many higher Ed. IT directors will tell you that they’re going to handle up the pandemic, actually speed that up. You know, how secure is your zoom? You have to log on. You can’t do it without your Edu. The the professors have been taught to see if there’s a stalker. Because that’s actually network security, you know? And they were long integrated into things like zoom and canvas and the other things that they use. The issues now are really behavioral and getting together to handle operational risk when they’re not prepared to do this right and they. Need a big voice? And they need an advocate in the finance department, and they need an advocate in legal. And I strongly urge IT people to go make those friends and say, look, the liability will fall on the university, that class action suits are coming to the university, right. When parents financial data is exposed and all of that, they’re going to come there. So they need to work together. And I think that that and understanding the economics and the insurance of it should they should have time to do that in their job.
Kevin Hogan
So we haven’t even talked about technology. I mean it, it seems that the priorities right now are in terms of personal behavior, I mean, personal responsibility as an executive in terms of taking that accounting class, making friends with the lawyers, anything happening on the technology front of you or is that just kind of a just a constant you know? I got a beer. Bigger gun, I’ve. Got a you? Know a a bigger defense to your bigger gun sort of situation.
Rivka Tadjer
Now there is something happening on the technology front and it’s an old saying. You’re as good as your data, but what is going on in the technology front is the ability. To see the threats before they get to your network. OK. And then this is going to be a go around again for IT executives inside universities to get the funding to do this because a penny of prevention is worth a pound of cure is absolutely true. Our laws are still behind and you know, they kind of lead in banking. Finance. Where they treat fraud and they treat criminals that get that betray access control but they wait till they’re there. This has this has to be the threat before it becomes a target. And what’s great in technology is how smart the data is becoming. All right, so you can now detect with the right kinds of programs. That is great. It’s like a portal that IT executives can go in to see. What are the symptoms before there’s an attack? OK. And using this Intel and seeing where the vulnerabilities are, the human ones. Before it happens because you know the FBI gets 2300 phone calls a day. The Verizon 2023 report, which is Global Resilience Federation data, also contributes to that. It’s all credential stuffing, credential stuffing, phishing. You’ve heard these terms. This is where some horrible percent. Logins in average and networks like 60% of them have some fraud associated. People are getting in and can impersonate employees all right. And when you have an environment like universities, you need to know before this happens. You need to know when there is a spike in breach data, which means have credentials been taken. So if there’s a spike pattern that’s going to happen. Before a campus is hit, that’s when you can go and look at the vulnerabilities. For the humans, the humans who, how are they getting in through the humans? So I think for universities that have all kinds of people accessing their networks, you know, you take students who also run the clubs and things like that and they’re funded by the universities and now you’re getting a mix of access. And so you really need to watch it. How those credentials are being protected before there’s an attack? Because then you’re in prevention, land and prevention land is less expensive than mitigation land. Always look at those data. Look how good your data is, how much is your Intel? I mean, our world is mirroring this, so yes. And there’s some really great data out there.
Kevin Hogan
And we made it almost 10 minutes without mentioning ai, but I can only assume that that is going to be part and parcel of next generation defenses and and cyber security aspects of both on the the attack and on the defensive right.
Rivka Tadjer
Absolutely. So it needs its guardrails and we’re not there yet, but I would also like to define ai here because everybody calls everything ai. That’s not ai ChatGPT is machine learning data in data out data in data out. You take me to a cool robotic center where the robot can clean my house. Now you’re talking about ai. But this is machine learning. And it’s a very good point. OK. So guardrails on machine learning are going to be very important and then they can be super helpful, but because it’s machine learning data and data out monitoring it with really good threat Intel data can help someone in IT. So you can sort of see how it’s. Doing and use it as a sample set of what you need to protect and what you need to protect. But it’s great for disseminating information, for engaging because they have to engage such a diverse. Body OK, think of any other corporation where you’re dealing with students and then a presidential Provost and executives. And I’ll tell you one other thing that I would like stand by any executive in IT is that by and large, it’s the sea level. And the executives who are exempt from training.
Kevin Hogan
Hmm.
Rivka Tadjer
They’re the ones who need it most, because am I going to steal the credentials of an administrative assistant who has access to nothing? No, I want the C-Suite that have keys to the Kingdom. That’s where I’m coming in. So only training when you have a rank and file and universities are rank and file. Does nothing. The students will learn the fastest. They will do things and you can impose things on them, but you have to bring those executives. And force it.
Kevin Hogan
Especially because only in the last couple of years that those provosts have begun to. Use e-mail anyway.
Rivka Tadjer
And the board members and the trustees come in without their Edu emails. OK, so the biggest.
Speaker
Right.
Rivka Tadjer
Problem with breaches and is when people mix personal. With official emails and then they’re all remote because in the university environment, the IT guys have that Wi-Fi locked down, right, they have their firewall. Yes. You know, board members, just like students, they come in with their gmails and they’re accessing all kinds of stuff and that’s what’s creating a problem. It’s exactly why the remote workforce during COVID created problems. Because you’re sitting at home on the same Wi-Fi that you’re teenagers playing all their infested games on your screen on your, you know, on the same router. Right it it’s exactly why. So that kind of thing and they need budgets for good data.
Kevin Hogan
So much great information in such a short period of time here as a last question. For our readers and for our listeners, prioritize their lists for 2024. I mean, all the various things that that you talked about, great advice along the lines. Can you give us a top three in terms of of A2 do when they wake up tomorrow morning?
Rivka Tadjer
Yeah. Here we go one. Examine the insurance policy of the university. There’s going to be fine print. There’s going to be a list of 10 little things somewhere along the line. That if you do not do, they will not pay a claim or things like that and work. This is a great project to go to legal with and your operations person went and say I’m gonna be liable for this in the end. You go over this with me. I want to know definitively and I want this unpacked right T2 threat Intel systems data. You’re only as good as your data. Human behavior get one. Analyzes the threats before they become a problem on your network, and the third part is to coordinate with other departments. For this human behavior this to be an HR issue of all your constituents, including your trustees and people who are coming in outside of the network. What is the protocol? And that’s why to do the insurance. First, because it’s like compliance, it will drive what you need to do, and then by the time you’re done with that, you’re going to have training. I’m sorry, I’m adding it for training. Training that no one is exempt.
Kevin Hogan
Well, as always great advice, Rivka, I appreciate your insights every year, but we’ll talk again before next year. But once again, good luck with all of your work and with your work, with your universities. And then just always appreciate.
Rivka Tadjer
Appreciate you too. And thank you for everything you do.
Kevin Hogan
And that’s all we have for this month’s edition of Innovations in Education. Be sure to go up online to eschoolnews.com and subscribe if you are interested in the topics to all of our podcasts, as well as check out the latest and greatest news and resources that we have online at in our newsletter.
Speaker
Yours.
Kevin Hogan
Once again, I’m Kevin Hogan, content director for East School news. Thanks for listening and I hope you click through again soon.
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=();t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)(0);
s.parentNode.insertBefore(t,s)}(window, document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘6079750752134785’);
fbq(‘track’, ‘PageView’);