1

Cybersecurity poses risk for Montana universities, also small businesses

Montana’s flagship campuses pledged Tuesday to shore up their cybersecurity, but University of Montana President Seth Bodnar said similar threats to small businesses also can be devastating.

Roughly 45% of cybersecurity attacks are against small businesses, and of those that face attacks, some 60% fold, Bodnar said. He and a Montana State University-Bozeman official pledged to address their own technology security shortcomings presented to lawmakers in a Legislative Audit Division report, but Bodnar also said Missoula College is offering nationally recognized education in cybersecurity.

“I also believe we have an obligation as a university to be a place where we can provide that training, that education, to secure Main Street businesses in the state of Montana,” Bodnar said.

The Department of Business and Information Technology at Missoula College notes on its website the National Security Agency and the U.S. Department of Homeland Security have identified the college as a National Center of Academic Excellence in cyber-defense two-year education. Bodnar also gave a nod to the $1.5 million the Montana Legislature allocated in 2021 to a Cyber Hub at the college.

In comments to the Legislative Audit Committee, Bodnar said Missoula College already has helped train the Montana National Guard and is in discussions about other trainings it could hold, including with the Department of Commerce. He noted the campus was recently approved for a bachelor’s of science to build on its two-year cybersecurity program, and it’s working on a certificate and graduate training as well.

Bodnar’s comments followed a presentation by Miki Cestnik, information systems audit manager with the Legislative Audit Division, on security findings from a recent audit of MSU and UM and an assessment of the role of the Montana Board of Regents and Office of the Commissioner of Higher Education in information technology security.

“The main point of this report is that everyone plays a role in information security, and everyone here has some work to do,” Cestnik said.

Cestnik said the higher education institutions gather, use and create data, and they hold student data, financial data, personal health data, and research data. During the audit, she said contractors identified vulnerabilities at both campuses, and they need to safeguard the information and protect against service disruptions.

“With all of these types of data in one location, higher education institutions are a rich target,” Cestnik said.

However, Cestnik also said the Board of Regents and  Commissioner’s Office need to provide more guidance to campuses in risk management and governance. In general, she said cybersecurity is becoming more costly, and she noted the cost to UM for HIPAA specific cybersecurity insurance shot up to $44,000 from $11,000 because UM’s security program posed too high a risk (UM declined the coverage but continues to be generally covered for cybersecurity breaches, according to the audit).

Commissioner Clayton Christian said he agreed with the findings, and he also noted a workgroup already had formed to tackle some of the challenges and planned to look at best practices. Christian said the work has been taking place on the campuses, and it’s costly, but he agreed it needed to be more coordinated.

“Of things that keep me up at night, cybersecurity is certainly one of them,” Christian said. “It’s not going away. It’s getting more complex. How we handle that is certainly part of that complexity.”

Sen. Pat Flowers, a Belgrade Democrat, said in his experience, it’s easy to spend an enormous amount of money on cybersecurity, and he wondered if there were guidelines for the campuses. 

“It does feel a bit like a bottomless pit in terms of how much money you can spend on cybersecurity,” Flowers said. “Is there a standard? Like how much is enough, or what level of risk is acceptable? Because you’ll never get to zero. How do you make that calculus in how much to invest in cybersecurity to reduce risk down to what level?”

Cestnik said she didn’t have a number, but she said campuses need to identify a strategy and establish their risk tolerance and thresholds and how to prioritize cybersecurity in order to determine how much to spend. She also agreed with Flowers’ assessment: “It can be a bottomless pit.”

In her report, Cestnik also noted turnover at MSU and hiring challenges at UM were among the problems. Bodnar noted two national recruitments for a chief information security officer failed, so UM trained and promoted internally instead. He noted Montana has some 3,683 cybersecurity jobs, and 1,100 of them are unfilled.

“There’s a massive war for talent,” Bodnar said.

Federal regulations control some of the data protection, but Cestnik also said higher education officials have some choices in how they decide to oversee information technology security. For example, she said the state can take a centralized approach or it can take a decentralized approach, and both options have worked well in other states.

Rep. Terry Moore, a Billings Republican, said he would like to see the university representatives return in six months or so for an update, and Chair Rep. Denise Hayman, a Bozeman Democrat, said she concurred, as did Commissioner Christian.

“It seems like given the significance of the risk management issues that have been identified, along with a whole host of strategic conversations that are going to be taking place in the background, it might be good to have a follow up report,” Moore said.