In the 1930s, when Louis A. Simon designed the famous U.S. Bullion Depository at Fort Knox, he could only have hoped that the building would be so secure, so impenetrable, that generations of Americans would come to regard “Fort Knox” as the highest compliment that could be given to a structure whose purpose is to defend whatever is inside.

In the case of Fort Knox, what’s inside are the U.S. gold reserve vaults. In the case of Broward College in Florida, what’s “inside” is the personal information of more than 68,000 students, 2,000 staff and faculty, and thousands more alumni and other former community members. And it really is a modern-day Fort Knox when it comes to its approach to network security.

Playing the role of Louis A. Simon for Broward is Matt Santill. On paper, he’s Broward’s chief information security officer. Informally, he’s the school’s “Mr. No.” Santill is the reason that students, staff and faculty are no longer able to connect their personal devices to the school’s network without registering them first, he’s the reason peer-to-peer connections aren’t allowed, and he’s the reason that staff cannot use personal cloud-based file-sharing services.

Santill acknowledges to Network World that this approach – seen more in enterprises – is a rarity on college campuses. Yet, that doesn’t mean it’s unfair or overly broad. Santill’s approach to network security has kept Broward’s name off the front page and protected its students and staff – what seems to be a rarity these days.

Broward College: An Exception to the Recent Rule

It was a spring to forget for three prominent institutions of higher education, all of which were victimized by cyber-attacks:

In February, the University of Maryland announced it had uncovered a broad cyber-attack dating back 16 years and affecting more than 300,000 members of its community.

  • That’s about the same number of victims of a North Dakota University hack weeks earlier, affecting students, alumni and applicants, as well as staff.
  • A breach of Indiana University “only” affected 146,000 students, although that information was exposed for nearly an entire year.

Why have so many colleges and universities been targeted? According to Paul Stephens, a consumer privacy rights advocate, there are structural vulnerabilities unique to institutions of higher learning.

“Universities tend to have a more open information technology architecture,” Stephens told the Capital News Service last spring. “You have various parties operating within the system — you’ve got students, you have teachers, you have faculty, you have administration staff, and so on.

And if the scope of these attacks isn’t convincing enough, consider the costs colleges and universities face as a result of a breach – internal investigation expenses, victim restitution (i.e. free identity protection and credit services), notification and call center expenses to respond to inquiries, and maybe even fees for violating PCI and HIPAA compliance. The list goes on.

Building a Campus-Based Fort Knox

Remember the June network breach that affected some 200,000 members of the Butler University community? At the time, we explained how a “think like an enterprise” approach to network security might have prevented the breach. Does that sound familiar to the network security strategy Santill has put on Broward’s syllabus?

Santill certainly has the right approach, but has he considered students and staff who live and work off campus? Anyone who accesses the college’s network remotely could represent a vulnerability. That’s why beyond thinking about internal access, educational institutions should think like enterprises and implement solutions that secure their remote access. The first step to shoring up remote access is for institutions to consider VPNs with central management functionality, allowing administrators to automatically ensure that all devices connecting to a network are in compliance at all times, centrally roll out updates to VPN clients and certificates, and revoke network access or even deprovision a user as soon as an attack is detected.

As strong as the real Fort Knox’s immediate defenses are, you can be sure that the roadways leading up to the facility are just as heavily fortified. For any organization today, those “roadways” are the tunnels users connect through to access the network remotely. And it’s critical they remain secure.

If a group is really only as strong as its “weakest link,” then why are so many enterprises, which are otherwise concerned about their network security, so quick to add new “links”? Every new user that gains privileged network access increases the risk that one link in the chain could break, thereby jeopardizing the entire organization.

Two of the highest-profile companies in the world – eBay and Target – learned this lesson the hard way, after attackers were able to gain remote access to their networks by compromising just a handful of privileged user credentials. So, while the attacks were ultimately carried out by malevolent actors, they might have never occurred if not for unknowing accomplices on the inside.

“Privileged” users are called that for a reason. In some cases, they have unfettered access to system and network resources, as well as the protected information hidden behind these systems. There may be fewer controls over them. They can also remotely access the network, from any device, further escalating risk. They can be database administrators, data center operators, application developers or network engineers. The list goes on.

In some cases, after the dust settles from a breach involving a privileged user, these insiders are found to have had ill intent. Other times, something as seemingly harmless as an administrator misplacing a password, accidentally clicking on a malicious link or failing to log out of a system can lead to a devastating leak.

So, how widespread is the problem? It’s not enough to point to the eBay and Target breaches alone and conclude that the danger posed by privileged users is on the rise. What’s clear, though, is that companies aren’t doing nearly enough to insulate themselves from privileged user threats. Only 40 percent of IT budgets include funding to fight insider threats, making the looming threat against businesses even more clear.

Strength in Numbers?

As organizations face granting rights to more privileged users, Network World has identified three steps they can take to protect themselves from widespread privileged user abuse:

  1. Reduce privileged accounts, if possible, and manage those that are given out
  2. Train employees as to best practices for network security
  3. Monitor privileged user activity

If organizations follow these steps, they will build a self-sustaining culture of network security.

There’s another step though – developing a defense in-depth network security strategy. By building in redundancy and resilience to their security infrastructure, organizations protect themselves in the worst-case event that one defense mechanism fails. Anchoring a defense in-depth strategy should be a centrally managed VPN solution that uses encryption to protect data sent and received by remote users.

The central management aspect of VPNs is also key to protecting against insider threats because it makes it easier to deprovision users. Because of the Bring-Your-Own-Device (BYOD) trend, there have never been more devices connected to enterprise networks. Each new user escalates an enterprise’s vulnerability, meaning there’s really “unlimited risk potential” for enterprises. Any time an employee is dismissed, or a breach can be traced back to them, their device should be deprovisioned as soon as possible.

As the chain analogy showed earlier, there’s strength in numbers, but only if all users pull in the same direction. Or, as Network World explains this dichotomy: “With greater access to a company’s computer assets comes greater security risk. The privileged user can be a company’s security enforcer but also its greatest security risk.”

Even though the Houston Astros have been the worst team in Major League Baseball for the last three seasons, one of the team’s off-the-field accomplishments — its proprietary internal computer database — is now the envy of the rest of the league.

This system, known as Ground Control, allows the team’s front office executives to centralize and exchange information about player contracts, scouting reports and statistics — all through one web address.

Yet, even as news story after news story praised Ground Control and general manager Jeff Luhnow, who is much of the brains behind the system, Luhnow himself spoke about his “low-level but omnipresent worry” around Ground Control — that the sensitive information it contained could be exposed. Given Luhnow’s past work as a technology entrepreneur, his risk averse approach should come as no surprise.

In March, Luhnow told the Houston Chronicle that the team had insulated itself from risk by only giving employees access to the specific information they needed to make decisions.

Despite all these precautions, an outside hacker infiltrated Ground Control last month, revealing private conversations that the Astros had with other Major League Baseball teams. In the wake of the incident, Luhnow has said the team is working to upgrade its remote access security infrastructure and he, for the time being, has gone back to using a pencil and paper to take notes, just to be safe.

In acknowledging the “double-edged sword of technology,” he said that other teams should also evaluate their own remote access security, because, in his words, “If it happened to us, could it have happened to other clubs?”

The Astros leak is interesting because it’s thrust into the spotlight an organization whose network security practices generally aren’t newsworthy — when was the last time you thought about how a baseball team secures its data?

Similarly, when was the last time you thought about how your college or university manages personal information about members of its community?

If you’re a student, alumnus, or staff or faculty member affiliated with Butler University, the thought has definitely crossed your mind in the last few weeks, following news of a remote hack that targeted the school. The attack is believed to have compromised the personal information — birth dates, Social Security numbers and bank account information — of up to 200,000 people in the Butler community.

Although a suspect has been arrested, the investigation is still ongoing. Meanwhile, Butler has already taken steps to patch up its remote access infrastructure.

Enterprise-Quality Network Security — Not Just For Enterprises

Together, the high-profile hacking of the Houston Astros and Butler University show why it’s important for every organization to think like an enterprise in constructing a network security plan. It’s not just enterprises or retailers like eBay and Target that can be victimized and subsequently lose the trust of their customers if a breach occurs.

As more information about both hacks are revealed, many news stories will focus on preventative measures — and rightfully so. What they should say is that it’s most important for a company to limit its network security vulnerabilities, and the best way to do that is through a comprehensive security framework that can secure every possible access point into your company. Attackers are persistent and creative — if they’re unable to breach the first line of defense, they’ll just keep prodding until they find a point-of-entry. Companies need a “kitchen sink” approach, from firewalls and VPN solutions that shore up remote access to rigorous employee training.

You’ll notice we didn’t mention Luhnow’s temporary “pen and paper” solution. That’s because it’s important not to be scared away from technology in the aftermath of these types of incidents. They’ll continue to happen, but with the right network security approach, your business will be spared the embarrassment and front page headlines that follow a hack.

As technology advances, the number of cyber-attacks on both public and private networks also increases. According to the Washington Post, in 2013 alone, more than 3,000 enterprises were notified of system hacks that had the potential to expose sensitive information and powerfully damage their brands.

Former NSA director Keith Alexander pointed out earlier this week that government networks are far from secure, as the NSA and the Department of Defense uncovered more than 1,500 pieces of malware on the U.S. government’s most secret networks.

“What causes me the greatest concern is what might happen if our nation was hit by a destructive cyber-attack,” Alexander said, noting that most of the country’s critical networks are operated by private industry. “If [a destructive attack] hit one of our Wall Street banks, the monetary damage could be in the trillions of dollars. We’re not ready.”

That is certainly a chilling thought, but are government agencies doing enough to secure remote access to their networks and the networks themselves? All signs point to no due to the increasing number of breaches agencies have been reporting recently, such as the public utility industrial control system (ICS) compromise reported by the Department of Homeland Security this month. Needless to say, urgent action needs to be taken to defend against such attacks.

In fact, Alexander’s comments could not have come at a better time, as the Montana Department of Public Health and Human Services was recently hacked and 1.3 million patients had to be notified that their sensitive information was potentially compromised. While there was no proof that the data was used for nefarious purposes, the agency has already “taken several steps to further strengthen security, including safely restoring all systems affected, adding additional security software to better protect sensitive information on existing servers, and continually reviewing its security practices to ensure all appropriate measures are being taken to protect citizen information.”

Had their network been supported and protected in a more strategic manner, this breach could have been prevented. If organizations leave even one small hole in their network security, a hacker can use it for devastating effect. As Eyal Firstenberg, vice president of cyber research at LightCyber said, “In fact, once mission-driven attackers have established a stable beachhead they leverage legitimate existing network resources, like user credentials, for the next phases of the attack. They thus render traditional security controls, like AV, firewalls, and sandboxes useless. With no system in place to monitor the internal network in real-time, attackers are effectively allowed to explore, compromise and exploit the network at their leisure.”

Why Every Organization Should Adopt a Defense in Depth Strategy

Much like enterprises, government agencies need to strongly consider the vast range of new attack vectors when planning their network security measures. Organizations must now adopt defense in depth strategies to ensure secure remote access and prevent similar attacks from occurring. Each and every network security component, including VPNs (preferably with central management), firewalls, intrusion prevention systems and more, must be able to not only contribute to creating layers of network redundancy in case of attack, but also rapidly adjust to threats as they are occurring.

As Firstenberg mentioned, monitoring systems are crucial to protect against hackers. This is where the benefits of implementing a remote access solution with central management come into play. With such a solution, network administrators can revoke access immediately after a breach is discovered. It also enables network administrators to control who can access what parts of the network within certain parameters, which reduces the risk of hackers accessing sensitive information. In addition, tasks such as provisioning/deprovisioning, and client and certificate rollout are automated, to ensure that every endpoint is always in compliance.

In the grand scheme of things, as we’ve mentioned numerous times, it’s vital for organizations to take network security seriously by applying a defense in depth strategy and implementing remote access central management. An overhaul is long overdue for government network security.

Let’s start building security into the Internet of Things now, before everything becomes connected — and hackable.

The Internet of Things (IoT) is weaving itself into the fabric of everyday life, including smart grids, smart meters, connected cars, and devices for the home. Gartner reports there are more than 2.5 billion connected devices today, and by 2020, there will be more than 30 billion.

While there’s excitement about IoT’s potential to create new business and boost productivity and convenience, the technology community can’t forget about security. If there’s one thing IT professionals know, it’s that if something is connected to the Internet, someone will try to hack it.

Unfortunately, the technology industry has a long history of ignoring security in the rush to open new markets, and we may see it happen again with IoT. We’ve already witnessed instances of hackers exploiting security holes in smart TVs and baby monitors.

In some cases, IoT may be able to use existing security technology, such as encryption. Encryption can be used to authenticate devices and, when used with VPNs, can safeguard sensitive data in transit.

[All work and no play make the IoT boring. See Playing Games With The Internet Of Things.]

Although VPNs are most often thought of as a technology to secure communications with corporate networks and the Internet, they can just as easily be implemented within devices to support machine-to-machine (M2M) communications and more innovative forms of connectivity.

However, encryption also comes with its own drawbacks. Consider key management, for example. As billions of connected devices get rolled out, there is a looming logistical challenge to secure and manage encryption keys.

A well-designed public key infrastructure (PKI) can cover some requirements regarding rollout and maintenance of large-scale encryption systems. However, IoT is not just a big “blob” in the cloud, but a collection of islands where each service provider — e.g., electric utilities, set-top box providers, consumer-goods manufacturers, and so on — has to manage its own keys on its own devices.

In some cases, encryption also may not always be an option. For instance, some low-power devices may lack the computational power necessary to encrypt and decrypt data.

Access control also presents a security challenge in an IoT world. When users are able to access an endpoint device, they’re able to access the entire system, so it’s necessary to have access control systems that manage user and device privileges.

Network administrators have to see the whole remote-access picture, including endpoints, VPNs, and the rest of the network infrastructure. Limiting network access, securing communications, and securing device access all need to be part of an IoT network security strategy.

There’s also the issue of software. As we’ve learned from years of exploits against servers, PCs, and smartphones, attackers will always find vulnerabilities or weaknesses in software that they can use to their advantage.

Organizations that build IoT devices must use secure software development practices to limit potential exploits. Meanwhile, IoT vendors and customers must ensure mechanisms are in place to apply patches or update software as necessary.

More security will certainly come with increased costs. However, this is the price that must be paid to reduce risks. In the long run, any additional costs will be well worth it to ensure corporate, employee, and customer data remain secure.

The Internet of Things has great potential to transform our lives. However, to provide the highest level of end-to-end security, IoT equipment and software have to be designed — from the start — with security in mind, giving consideration to how each component is being used, what type of data will be communicated, what connections will be made, and who will have access.

All communication modes/channels need to be thought through from a security standpoint, and reasonable security guidelines must be established and implemented for all connected devices.

The Internet has taught us the hard way that security has to be baked in, not bolted on afterwards, for maximum effectiveness. Let’s hope the technology community will apply this lesson to IoT.

This post originally appeared on InformationWeek.