Higher ed is seeing a rise in cyberattacks, and the industry remains a popular target. In 2021, 74% of ransomware attacks on higher ed institutions were successful. Cyberattacks can have both financial and operational consequences (the average cost of a data breach in 2022 in the higher education industry is $3.86M, up from $3.79M in 2021), adding to the importance of institutions having the right infrastructure and personnel in place that can safeguard their data. But why is higher ed an attractive target, and what can institutions do to ensure everyone on (and off) campus takes cybersecurity seriously?
Mark Relf, Senior Manager – Information Security at Collegis, explains why higher ed remains vulnerable to cyberattacks and how creating a culture of cybersecurity can help everyone do their part to keep an institution safe from cyberattacks.
1. Why is higher ed an appealing target for cyberattacks?
Essentially, they have loads of “the crown jewels” (people’s information) housed in antiquated systems and poor processes. The typical IT structure at a college or university was built by a handful of former graduates – or even current students, at the time – who have an interest in IT. The schools are constrained by the limits of that initial group’s capability and resources. Because of this, as an example, we’ve recently migrated one partner off of a directory service that was officially retired in the ’90s.
There’s also a lack of cybersecurity awareness and culture within many organizations, which leaves them more vulnerable to threats.
2. What kind of data is at risk for cyberattacks?
Identity information belonging to students, employees, donors and vendors is at risk. This can include everything from a social security number to date of birth, credit card numbers, bank account information, tax information, 401(k) information and even health care.
There’s also a risk to demographic and application information for students who are applying. And then there’s also intellectual property – everything created by the professors and all the development and research for which a school has put in its resources.
3. Do institutions’ constituents tend to take cybersecurity seriously? Why or why not?
I don’t think the general public takes cybersecurity seriously. Some people still use one password for everything. Doing our own personal cybersecurity hygiene is arduous and becomes a mundane task – and so people don’t spend time ensuring they’re cyber secure.
Not taking cybersecurity seriously leaves people vulnerable to threats. An example I ran into with one university was that a cyber attacker figured out a class had a lab and billed a student an $85 lab fee. It wasn’t a huge amount of money, so it was not enough to prompt the student to do their due diligence to ensure it was a legitimate bill from the university. They submitted their credit card information, and – all of a sudden – the student had fraudulent charges.
4. How can higher ed administrators create a culture of cybersecurity?
Administrators can do this by taking cybersecurity seriously and leading by example. They need to commit to cybersecurity and continually review what is working – and what’s not.
A lot of the technology schools have today can be leveraged to create safe environments, but it starts at the top with a commitment to continually reviewing what is working and what is not. Any process can be reviewed to be more secure. Once you have a process that is secure and works, then the goal is that your people understand that policy and follow it. Once they understand and follow it, you can start using technology to make those procedures easier and more fluid. This doesn’t have to be difficult. This can be as simple as internal website pages with clear instructions, and tools for automating tasks.
5. How can students contribute to maintaining cybersecurity?
Cybersecurity needs to be cultural. It can’t just be an IT concern. Students need to first be made aware of cybersecurity policies and processes – and how it directly affects them – which can be communicated through orientation, syllabi and ongoing communications from administration and their professors. They also need to know who they can go to with questions or help. Then, students can contribute to a cybersecure institution by following those policies and procedures.
6. What is the first step to creating a cybersecurity strategy?
Begin by asking these questions:
- Which types of cybersecurity incidents are we most afraid of?
- Do we have adequate controls to detect or prevent these incidents?
- Do we have metrics reporting the accountability of all roles and their thoughtfulness on cybersecurity?
Once those questions are answered, the objectives become clear and the strategy begins to be formulated.
It’s important to note that cybersecurity is not just a check in a box. It requires ongoing review and patching. There’s not one “secret sauce” solution. It’s a journey.
Does your culture need a shift?
It can be a heavy lift to transform an institution’s culture to learn to value cybersecurity and adopt practices and processes that all constituents follow. A strategic partner can help dramatically ease the burden. Collegis Education has the people, processes and tools to strengthen your security ecosystem. Our security strategies and practices safeguard your school, and we can help create a formal security policy to educate your institution in adopting a cybersecurity culture.
Our infographic explains the three steps for creating a cybersecure culture.