Montana’s flagship campuses pledged on Tuesday to consolidate their cybersecuritybut University of Montana President Seth Bodnar said similar threats to small businesses can also be devastating.
About 45% of cybersecurity attacks target small businesses, and of those that do experience attacks, about 60% times, Bodnar said. He and a Montana State University-Bozeman official pledged to address their own tech security shortcomings presented to lawmakers in a Legislative Audit Division report, but Bodnar also said Missoula College is proposing nationally recognized cybersecurity training.
“I also believe that we have an obligation as a university to be a place where we can provide that training, that education, to make Main Street businesses safe in the state of Montana,” Bodnar said. .
Missoula College’s Department of Information Technology and Business notes on its website that the National Security Agency and the United States Department of Homeland Security have identified the college as a National Center of Academic Excellence in the teaching of two years in cyber defense. Bodnar also gave a nod to the $1.5 million the Montana Legislature allocated in 2021 for a Cyber Hub at the college.
In comments to the Legislative Audit Committee, Bodnar said Missoula College had previously helped train the Montana National Guard and was in discussions about other training it could arrange, including with the Department of Commerce. He noted that the campus was recently approved for a Bachelor of Science degree to build on its two-year cybersecurity program, and is also working on a certificate and graduate training.
Bodnar’s comments followed a presentation by Miki Cestnik, Head of Information Systems Audit in the Legislative Audit Division, on safety findings of recent check from MSU and UM and an assessment of the role of the Montana Board of Regents and the Office of the Higher Education Commissioner in information technology security.
“The main point of this report is that everyone plays a role in information security, and everyone here has work to do,” Cestnik said.
Cestnik said higher education institutions collect, use and create data, and hold student data, financial data, personal health data and research data. During the audit, she said contractors had identified vulnerabilities on both campuses and needed to protect information and protect against service disruptions.
“With all these types of data in one place, higher education institutions are a rich target,” Cestnik said.
However, Cestnik also said the board and the commissioner’s office need to provide more guidance to campuses on risk management and governance. In general, she said cybersecurity is becoming more expensive and she noted that the cost to UM of HIPAA-specific cybersecurity assurance has increased from $11,000 to $44,000, as the security program of ‘UM posed too high a risk (UM declined coverage but continues to be generally covered for cybersecurity breaches, according to the audit).
Commissioner Clayton Christian said he agreed with the findings, and he also noted that a working group had already formed to address some of the challenges and planned to review best practices. Christian said the work took place on campuses and is expensive, but he agreed it needed to be better coordinated.
“Among the things that keep me up at night, cybersecurity is definitely one of them,” Christian said. “It’s not going to go away. It becomes more complex. How we deal with it is definitely part of that complexity.
Senator Pat Flowers, a Democrat from Belgrade, said from his experience that it’s easy to spend a lot of money on cybersecurity, and he wondered if there were any guidelines for campuses.
“It feels a bit like a bottomless pit in terms of money you can spend on cybersecurity,” Flowers said. “Is there a standard? For example, how much is sufficient or what level of risk is acceptable? Because you will never get to zero. How do you do that calculation to know how much to invest in cybersecurity to reduce risk to what level? »
Cestnik said she didn’t have a number, but she said campuses need to identify a strategy and establish their risk tolerance and thresholds and how to prioritize cybersecurity to determine how much to spend. She also agreed with Flowers’ assessment: “It can be a bottomless pit.”
In its report, Cestnik also noted that turnover at MSU and hiring issues at UM were among the problems. Bodnar noted that two national hires for an information security officer failed, so UM was trained and promoted internally instead. He noted that Montana has some 3,683 cybersecurity jobs, and 1,100 of those are unfilled.
“There is a massive war for talent,” Bodnar said.
Federal regulations control some of the data protection, but Cestnik also said higher education officials have a choice in how they decide to oversee information technology security. For example, she said the state can take a centralized or decentralized approach, and both options have worked well in other states.
Rep. Terry Moore, a Republican from Billings, said he’d like to see representatives from the university return in about six months for an update, and the president’s rep. Denise Hayman, a Democrat from Bozeman, said that she agreed, as did Commissioner Christian.
“It seems that given the importance of the risk management issues that have been identified, as well as a whole series of strategic conversations that are going to take place behind the scenes, it might be good to have a follow-up report. “Moore said. .