Beyond Containment: Redefining Cybersecurity and the Digital Campus at Washington College
- By Irving Bruckstein
- September 12, 2025
In the aftermath of a ransomware attack, Washington College stood at a crossroads — its legacy defined by centuries of academic excellence, but its digital infrastructure revealing the fragile underbelly of modern campus operations.
When I arrived, the attack was already responded to, but its implications were far-reaching. When a ransomware attack disrupts a college campus, the instinct is often to fix what’s broken, patch what’s visible and return to “normal.” But for institutions willing to ask deeper questions, these events reveal an opportunity to rebuild—not just stronger, but smarter.
(Re)Building from the Ground Up
What followed was a complete reconstruction of how cybersecurity, access and institutional resilience were understood and executed. On assessment, what emerged was a campus digital assets that were far too exposed. Systems that should have been internal sat on public IPs. Metadata designed for convenience—org charts, system URLs, administrative contact info—had become tools in the wrong hands. A dark web scan revealed a volume of sensitive institutional data, which was four to five times higher than peer institutions of similar size. While not FERPA-protected data, this was the kind of intelligence cybercriminals rely on to orchestrate precision attacks.
Without hesitation, our team moved every nonessential public-facing system behind the firewall. That alone cut our external attack surface by over 85%. But true security couldn’t stop at visibility. We needed to restructure how people accessed institutional tools and information.
Washington College lacked an intranet—no internal portal to serve as a boundary between campus and the wider web. Community-specific data ended up on the public website, simply because there was nowhere comparable to put it. That ended with the launch of “MyWashColl,” our new engagement hub developed with our partner Pathify. Gated behind credentials and multi-factor authentication, it quickly became our campus’s secure front door, redefining how our users—faculty, students and admin— engaged with clarity, consistency and control.
Building a Security-First Culture
“MyWashColl” gave us a secure place to put critical information. It also reduced our dependency on an outsourced website that billed us for every update and left little room for agility. Departments could now manage their own content. Communication became easier and our risk dropped almost immediately. Students, meanwhile, got what they expected—a relevant, digital and centralized experience.
This architectural shift laid the groundwork for a broader cybersecurity transformation. We built a professional security team. We aligned our strategy with NIST 800 and affirmed the institution's compliance with the Gramm-Leach-Bliley Act (GLBA). State of the art AI-based detection and protection tools from Darktrace now give us real-time protections, as well as insight into behavioral anomalies across the network 24x365. Phishing simulations, designed by my team, became a continuous learning loop— educating the community, reinforcing awareness and closing the human vulnerability gap.
Cybersecurity isn’t a static achievement but a living posture, one that must evolve as threats do. We now conduct regular third-party penetration tests, audit our environment using risk-scoring tools and monitor our systems around the clock. As of this writing, our cybersecurity rating ranks in the top percentile of higher education institutions nationally.
Tools alone do not secure a campus—culture does. It’s not easy convincing a college to invest heavily in cybersecurity—especially when budgets are tight and risk feels abstract. In our case, the ransomware attack created urgency and accelerated decisions that, in a different context, may have faced more resistance. But institutions shouldn’t have to wait for a breach to take security seriously, as the stakes are too high.
What Senior IT Leaders Must Consider Today
The most urgent lesson for CIOs, CISOs and senior IT leaders is this: exposure is not always obvious. In fact, some of the riskiest systems are the ones that feel most benign —public-facing org charts, URLs for enterprise resource systems, PDF forms intended for internal use but indexed by Google. The surface is wider than many realize, and so is the reach of adversaries scanning for that data.
Audit everything. Treat every access point as a liability until proven otherwise. Then, reduce complexity. A smaller surface is easier to defend and easier to understand. In our case, this wasn’t about removing functionality. It was about tightening the perimeter and creating a clear, credentialed path for the people who need access.
The second lesson is that consolidation and security are not at odds. Too often, portal fatigue is treated as a UX issue rather than a risk vector. Every disconnected system a student or faculty member must navigate — every bookmarked link, every login—is another place to lose credentials or unintentionally expose information. A unified, secure engagement hub like “MyWashColl” isn’t just more efficient. It’s safer.
There’s also the matter of compliance. GLBA is no longer optional and the requirements are no longer vague. Institutions must document, educate, test and maintain. For those who haven’t yet adopted the NIST 800 framework, that’s a logical—and increasingly necessary—place to start. But even frameworks don’t guarantee safety. They’re a means to an end, not the end itself.
Another overlooked truth: cybersecurity expertise is non-negotiable. Many smaller institutions don’t have the budget for full-time CISOs or security engineers. But that doesn’t remove the obligation. Virtual CISOs, fractional security teams and third-party consultants can fill that gap—so long as the institution is willing to listen to and act on their recommendations. Security cannot be delegated without accountability.
Internal cybersecurity conversations shouldn't devolve into technical debates —it's a strategic asset mixed with a psychological point of view. Budgets are easier to unlock after a breach—but the challenge is making the risk real before it becomes reality. CIOs have to be storytellers, risk translators and policy champions. They must frame cybersecurity not as a drain, but as an enabler—of continuity, of trust, of mission.
Digital Trust is the Path Forward
As higher education grapples with a convergence of pressures —shrinking student populations, evolving delivery models, increasing public scrutiny and public funding squeezes—digital trust must become foundational to how colleges and universities operate as a shared mindset.
At Washington College, cybersecurity became a catalyst for broader change— clarifying priorities, tightening processes and opening up space for better digital experiences. Security serves as a lever, as cybersecurity is never finished. But with the right structure, the right mindset and the right partners, institutions can move beyond defense—and start building something intentional, lasting and resilient.