Why is cybersecurity important?
KS: No one should doubt the importance of cybersecurity and user privacy. No matter which way we turn, we see a constant stream of news about organizations falling victim to hackers and cyber attacks. With every new connection or integration comes a new potential threat. Today, more and more minutes of our lives have moved to the internet—where everyone in the world is connected—including our friends, family, and a collection of cyber criminals.
Cybersecurity does not come easy. No data or piece of user information is truly secure unless we, as an industry, go to great lengths to ensure safety. But we’ll need to do this amidst change. Digital transformation is accelerating, especially for the campus store. The COVID-19 pandemic compounded matters by creating growing pockets of remote learners, new business-critical and private data that needed to be exchanged, and new work-from-home policies. This recipe made 2020 a record-breaking year for cybersecurity events in the education industry. For any business in higher education, it’s something that can’t be ignored.
How does a focus on privacy and security keep RedShelf at the forefront of digital content delivery?
KS: Just like safety regulations were used to enforce standards, governments around the world are now implementing very aggressive cybersecurity and privacy laws to ensure compliance. Now, more than ever before, any business connected to higher education should be mindful of these new regulations headed downstream. That’s where my team comes in.
In May ‘19, the EU adopted the General Data Protection Regulation (GDPR)—a very strong stance to ensure data security and privacy of its citizens. In January 2020, California implemented similar law, the California Consumer Privacy Act (CCPA.) Nevada, New York, and other states are expected to follow suit. At RedShelf, we’re staying ahead of these regulations—because educational continuity shouldn’t fall victim to malicious hackers.
Due to some of the major and recent U.S cybersecurity events—which exposed the weaknesses deeply resident in the processes of our supply chains—a Cybersecurity Executive Order was issued by the President back in May (EO 14028, May 12, 2021) with updated guidelines being released as recommended by the NSA (first guidance on July 11, 2021 with future updates expected into May ‘22).
Change is always very difficult, but bookstores have an ally at RedShelf. The new laws based on the NIST framework will certainly improve security of our users' privacy, and most importantly, the protection of sensitive data, including our institutional partners' intellectual property.
What makes RedShelf’s approach to privacy and security different from the rest of the industry?
KS: Technology is hard. Maintaining cybersecurity poses even more difficulty for us technologists. In my decades of experience with the U.S. Army and Department of Defense, one thing became very clear—leveraging a proven framework in cybersecurity is essential for long-term success.
RedShelf’s cybersecurity program is built on a solid framework – an NIST CyberSecurity Framework (v1.1) which delivers on five key functions; Identify, Protect, Detect, Respond, and Recover (with 23 sub-categories.) This five-prong approach serves as a guardrail for ensuring a holistic, 360° perspective on cybersecurity.
Unlike others, RedShelf’s cybersecurity program starts with a very robust “Threat Intelligence” program which makes us more aware of data breach trends, evolving hacker tactics, the tools they use, and processes they take. Just like we do in the U.S. Armed Forces, an effective Threat Intel program allows us to be effective at predicting vulnerabilities or targets, preventing and fighting the hackers at the point of attack, instead of trying to defend everything and everywhere—activities often related to little, or lack of intelligence into where the attack or attacker is coming from.
RedShelf’s defensive strategy is built on Cyber Kill Chain® which relies on implementation of multiple layers of complimenting security controls. These layers work together to create an iron-clad defensive system. Cybersecurity is a core, fundamental consideration for all of us here. It begins with an effective employee training program which includes access to our cyber threat intelligence. Next, there are layers of technical controls. These include a Web Application Firewall, Network Firewall, the use of VPN and MFA, strong password management enforcement, and an Intrusion Detection System (IDS.) The IDS allows RedShelf to detect both known malicious signatures as well as behavioral anomalies—at the earliest possible moment.
And if those layers don’t stop a threat in its tracks, all of RedShelf’s critical systems are protected by CrowdStrike Falcon Complete, providing 24x7 endpoint protection. It gives us an added threat hunting capability, driven by both A.I. and human threat hunters to ensure quick response in the event of a security incident, like ransomware and other hacker activity. Lastly, we use the ThreatCon system (Threat Condition Levels) like the DoD to help set standards for the appropriate responses required by our “Incident Response Team” according to the changes detected by our Threat Intel.
What does this mean for the campus store?
KS: Now, more than ever before, the campus store is playing an integral part of ensuring educational continuity. Bookstores are not only making course materials more affordable, they’re facilitating access to digital content that ensures access to the course materials students need, whether on or off-campus. Stores are helping campuses ‘go digital’—sometimes a single classroom—others across entire campuses. This means more and more data is flowing, potentially, through the campus bookstore to ensure this continuous education to students across the country.
And as I remind folks (often), every new integration can pose a new threat or vulnerability. That’s why RedShelf has become a provider to thousands—providing a single, secure integration point for campus store partners. We navigate and handle the myriad of complex integrations with thousands of publishers and partners, absolving the campus store (and supporting institution), of the exponential risks. Simply stated, we’re providing the much-needed ability for campuses to scale digital efforts quickly, without worrying about incremental impacts to privacy and security. We’ve got them covered.
Up Next: Ensuring Accessibility from Adoption to Delivery