Man with tablet in front of laptop with blue shirt

May 1, 2024

Building Resilience: Best Practices for Threat Response Strategies in Higher Ed

By: Jacob Picart

Your data is your institution’s crown jewel, and attackers constantly look for ways they can hack into your systems and gain access to it.

While bad actors pose a threat across industries, higher education is particularly vulnerable due to a lack of resources, expertise, deferred maintenance, and the sheer number of users accessing the network for diverse purposes. In this dynamic digital landscape, you must know how to enhance your institution’s security posture and avoid becoming the latest headline victim of a cybersecurity attack.

In this post, we’ll walk through how educational institutions can create effective threat response strategies—and why it’s so important to have one in place.

The key components of a successful higher ed IT threat response strategy

Threat response strategy in higher ed was fairly straightforward a decade ago—implementing firewall protection and antivirus software, with some rudimentary backup and disaster recovery plans was usually enough.

Today, though some organizations still work with this outdated strategy, the overall tone has shifted. Rather than relying on a reactive approach, higher education institutions must pivot to adopting a proactive, holistic threat response strategy.

Preventative security assessments

When it comes to threat response, prevention is near impossible (more on this later), but what can be done is detect, respond (contain the blast radius), and recover (immutable backups). Rather than waiting for an attack to impact your university, get ahead of it by protecting your data and your users upfront.

First, start at the edge and work your way in, by fortifying your firewall and VPN appliances keeping them patched to the latest versions and auditing configurations; keep any applications publicly exposed patched and implemented web applications firewalls to protect against Layer 7 attacks; implement robust data protection measures by retiring legacy encryption protocols and enable TLS 1.2+ to protect sensitive information such as student records, research data, and faculty credentials; additionally, data at rest should also be encrypted to protect against breach and data exfiltration. Having these protections in place ensures compliance with the Gramm-Leach-Bliley Act (GLBA), which verifies that safeguards are in place for sensitive data.

Beyond your institution’s network core and data, the end users are the next target. If adversaries can’t get through the firewall or the WAF, and they can’t breach the application, they will try to breach your users using various tactics such as social engineering.

Zero Trust principles

To combat threats against your users’ identities universities should employ Zero Trust principles, as outlined by the National Institute of Standards and Technology (NIST) in NIST Special Publication 800-207A, for identity security purposes for all end users—from applicants to professors to the university president. The NIST SP 800-207A is based on the premise that trust is never assumed, regardless of where the access request originates, you must adopt this paradigm shift, assume breach.

Many institutions are wary of implementing a Zero Trust framework—not because they don’t believe in its effectiveness—but because of its prohibitive costs, complexity, and resource-intensive setup. However, in the long run, the initial time and expense associated with setting up Zero Trust more than pay for themselves—especially if your university is able to avoid a costly ransomware attack.

Recovery and monitoring

No matter how prepared you are, incidents will happen—and the recovery can be brutal. According to the IBM Data Breach Action Guide adversaries are in a network for an average of 207 days before they deploy an attack, and it takes about 70 days to purge the threat from the environment—that’s 277 days to identify and contain a breach.

So, how can your institution minimize disruption from cyberattack?

As with preventative measures, Zero Trust principles are a good place to start. Even when there isn’t an identified threat, assume you’ve been breached. This assumption aligns with the evolving cybersecurity landscape, where proactive measures and continuous monitoring are essential for early threat detection and response. Essentially, this posture helps you identify and contain threats before they become a major issue.

Ongoing monitoring

After implementing robust protection measures and response plans, continuous monitoring and threat intelligence become critical components of maintaining a strong cybersecurity posture. Continuous monitoring involves actively observing and analyzing network traffic, user activity, and system logs to detect any suspicious or malicious behavior in real time. This proactive approach allows your institution to identify potential threats early and take immediate action to mitigate risks.

Instituting 24/7 monitoring also demonstrates a commitment to ongoing improvement and readiness in addressing evolving cybersecurity challenges for everyone on campus.

Staying current with security threats

While network breaches happen every day, the good news is that we can learn from them.

The MITRE ATT&CK Framework is a comprehensive knowledge base for understanding, categorizing, and describing cyber adversaries, as well as their behaviors and tactics.2 In short, it’s a public playbook that identifies attackers and teaches you how to best defend your institution against them.

Staying informed about recent attacks and application vulnerabilities is another great way to know about potential threats before they impact you. Sources like Krebs on Security are a good place to start—particularly, his recent patch on Apple and Microsoft’s latest security holes.

It’s overwhelming to learn about the sheer number of threats in cyberspace, let alone respond to them before it’s too late. Partnering with an industry expert like Apogee provides invaluable support and guidance, helping institutions proactively address challenges and stay ahead of potential cybersecurity risks.

Collaboration with academic departments

Don’t overlook the interpersonal aspect of a strong threat response strategy. Though you need technology to defend your network, building solid partnerships and communication with various academic departments in the institution is important, too.

This collaboration gives you a more comprehensive understanding of potential threats specific to educational activities, research projects, or administrative functions. It also facilitates a coordinated, smooth response to future security incidents and accelerates security training across the university.

Common threat response pitfalls to avoid

Developing a threat response strategy can be daunting, especially when you have so much on your plate. You’re likely grappling with budget constraints, staff shortages, complex IT environments—which makes implementing a robust cybersecurity strategy extra complicated.

We’ve covered some best practices for cybersecurity, but it’s equally important to highlight what not to do.

Overlooking a data backup strategy

It can’t be overstated: having a backup of your institution’s data is paramount. If all else fails, a backup ensures you won’t have to pay an attacker’s ransom and can recover your data as needed. If you don’t have proper backups in place, which are tested frequently, you not only risk losing critical information in a cyber incident, but also may face regulatory, financial, and legal consequences

Inadequate security measures

Institutions without in-house security expertise or with limited resources to allocate to security posture are frequently left vulnerable to cyberattack. Inconsistent patching and updating of systems and software, limited encryption of data at rest or in transit, poor endpoint management, and little to no security awareness and training are just a few examples of practices (or lack of them) that only enhance risk of security breach.

Insufficient user awareness and training

Neglecting to educate faculty, staff, and students about cybersecurity best practices can have severe consequences. If students understand why they’re asked to add an authenticator app to their phones, it creates a more security-conscious culture. Training everyone on campus about the importance of data protection and how to identify bad actors can reduce the risk of human error and lessen the likelihood of successful cyber attacks.

Embracing proactive threat response for a resilient higher education landscape

Going forward, higher ed institutions must move beyond mere compliance and reactive measures. Zero Trust principles are the gold standard for safeguarding sensitive data, preserving your school’s reputation, and maintaining smooth operations amidst evolving cyber threats.

Together, people, processes, and technology create the framework for safeguarding your institution’s IT environment. Training and empowering your people—your staff, students, and other campus stakeholders—to recognize and react to security threats is essential. Building on that training and awareness with processes that guide actions and decision-making is equally important. Finally, leveraging technology, the tools and systems used to protect data and infrastructure, ensures a comprehensive approach to security posture.

If your university lacks the allocated resources to do so, utilizing external expertise through managed services is a viable option. MDR and other next-gen security technologies are complex, time-consuming, and costly to set up, especially if it’s your team’s first time doing so.

Apogee security services help close gaps in security expertise and offer your organization cost-effective strategies for protecting sensitive data on your campus.

Learn more about how Apogee helps fortify your campus IT security posture today.


1. IBM, “Data Breach Action Guide,” August 2023. Accessed April 1, 2024.

2. MITRE, “MITRE ATT&CK® Framework.” Accessed April 1, 2024.

3. Brian Krebs, Krebs on Security, “ Krebs on Security,” April 2024. Accessed April 1, 2024.

Jacob Picart


Jacob Picart

Vice President, Security Services Jacob Picart joined Apogee in 2023 as member of the Executive Leadership Team. In his current role, Jacob is sharing his extensive experience in security compliance and related technologies, Amazon Web Services and Microsoft Azure cloud services, and network services for the benefit of Apogee and its higher ed clients. He is responsible for expanding the company’s comprehensive portfolio of information security services for colleges and universities. He is also responsible for continuously improving internal security processes and procedures at Apogee. Prior to joining Apogee, Jacob held various roles including serving as a cyber security architect, cloud solutions architect, and network and system engineer; leading a Managed Services Provider practice; and serving as an adjunct instructor of technology at a San Francisco-based business school, where he taught classes on Cisco-based networking, wireless, Microsoft and Linux server administration, infosec security, and ethical hacking. Picart is a member of the CompTIA Community and a past member of the EC Council. He has earned multiple AWS and Azure cloud certifications. He also has attained Certified Ethical Hacker (CEH), Microsoft Certified Professional (MCP), Microsoft Certified Security, Compliance and Identity Engineer, AWS and Azure Solutions Architect, CompTIA Network+ and Security+ certifications including various designations from industry leaders such as Splunk, Palo Alto Networks, and Brocade. Most recently, Picart obtained the Certified Information Systems Security Professional (CISSP) certification from the International Information System Security Certification Consortium (also known as ISC2).

Read Full Author Bio