Higher ed has become an attractive target for cyberattacks. In July 2020, Comparitech reported that 1,327 data breaches in the education sector had resulted in the exposure of 24.5 million records since 2005. Higher education accounted for three-quarters of those breaches.
While there’s no magic bullet to prevent all breaches, understanding widespread vulnerabilities, common types of cyberattacks and how to prevent breaches can help college and university leaders prioritize their security strategies to safeguard both student and institutional data and resources.
We enlisted Jason Nairn, VP of information technology and security at Collegis Education, to discuss the issue of cybersecurity in higher ed to help college and university leaders know what they’re up against in order to enhance their information security plans. View the following infographic and article (beneath infographic) to learn more.
The rise of cyberattacks in higher ed
Although higher education networks were a high-value target for cyberattacks prior to the impacts of COVID-19, the shift to remote and online learning en masse quickly increased the number and severity of cyberattacks on institutions. In fact, the number of attacks on educational institutions has grown faster than in any other sector, according to a report by Checkpoint. This category experienced a 30 percent increase in attacks compared to a 6.5 percent average increase across all industries in just July and August 2020.
Why colleges and universities are attractive targets for cyberattacks
All organizations face an increasing number of cybersecurity challenges today, but higher ed is an especially appealing industry for cybercriminals. There are a few key reasons for this, such as:
- Personal data: Schools possess large quantities of sensitive, personally identifiable information such as financial data, medical records and Social Security numbers, which can be sold on the black market.
- Research: Attackers are often drawn to the sensitive nature of emerging research projects.
- Outdated systems: Many schools are still using legacy systems that can be easily exploited.
- Large, untrained user networks: Schools have many users who simply lack security awareness and can unknowingly admit malware onto their networks through personal devices or applications.
In addition, college campuses are by nature open environments that are designed to be accessible to all students and staff. Unfortunately, this means schools have their doors open – both physically and digitally – to the world.
“To facilitate an academic environment where information is freely and easily shared, you can’t really put walls up, which makes it much more difficult to secure a college campus than a private business,” Nairn says. “Colleges don’t have all the options that private businesses do to put defensive rings around their so-called ‘crown jewels’.”
Finally, COVID-19 has made breaching higher education networks even easier for threat actors. After all, most students and staff are now connecting to educational networks remotely – from potentially unsecured wireless networks – and communicating via digital tools.
“Before COVID-19, if the CFO saw an email from the president directing them to pay an invoice, the CFO could walk across the hallway and ask the president if they sent the email,” Nairn explains. “But now that they’re remote, school personnel are reliant on digital tools that cybercriminals can use to fool them.”
Common types of cyberattacks affecting higher ed
The goal and target of cyberattacks have always been about getting money and resources out of someone. To gain access to these resources, cybercriminals use numerous methods, including socially engineered attacks like phishing, spear phishing and spoofing, to trick users into giving up their log-in credentials or other personal information that can be used to breach a system.
“The most common way cybercriminals get users to give up either credentials or personal information is through social engineering,” Nairn says. “This is the use of psychological manipulation to trick humans into making security mistakes or giving away sensitive information.”
Hacking, which is the process of identifying and exploiting weaknesses in a system or a network to gain access to data, is another heavily used tactic in higher ed. It often involves using a password-cracking algorithm (in a technique referred to as “brute force”), to break into a computer system to extract resources. Notably, around 80 percent of hacking-related breaches involved either some form of password cracking or the use of lost or stolen user credentials.
More worrying, however, is the fact that ransomware attacks, which paralyze victims’ systems or threaten to release confidential information until they pay a ransom, have been on the rise. For example, between 2019 to 2020, the number of detected ransomware attacks increased 715 percent. And – though you may think that higher ed would be a smaller target than, say, a financial institution – in 2016, higher ed had the highest rate of ransomware across all industries.
What risks do cyberattacks pose for institutions?
Cyberattacks can cost institutions in a number of ways. But Nairn believes the number one risk to the institution is reputational.
“The university is responsible to some extent for the welfare and wellbeing of their students, especially if they’re on-campus residents,” he says. “When the school has a data breach that compromises the personal data of a family or student, this impacts that trust relationship, ultimately trickling down into potential enrollment loss.”
Other risks to the institution posed by cyberattacks include financial and operational loss. Cybercriminals know the premium schools place on protecting student data and continuing operations and are able to demand large ransoms (often in the millions of dollars) for a return to normalcy. Notably, in a ransomware attack, students, staff and faculty may be unable to access key learning and financial systems, and all servers must be shut down until the situation is under control. This translates into lost days of work where bills don’t go out, students can’t get tests in on time or participate in their online classes and news stories can chip away at a school’s reputation.
How can higher ed defend itself against cyberattacks?
Lately we have seen an increase in menacing activity and more challenging risks to institutional security and privacy. With the dramatic shift to remote learning and operations in 2020, threats are at an all-time high. However, this doesn’t mean colleges and universities should feel helpless.
While there’s no single tool to prevent all cyberattacks, higher ed leaders can take proactive steps to prevent and remediate many breaches by prioritizing several basic cybersecurity strategies:
First is the installation of threat detection tools, such as data loss prevention software, that analyze a security ecosystem to quickly identify malicious activity so that mitigation efforts (sometimes as easy as changing passwords) can be enacted.
Next is the development of a formalized and well-documented policy for IT security that sets standards of behavior for faculty, staff and students’ digital activities – as well as those in the executive suites. This should also outline which systems should be in place to guard data and assign roles and responsibilities.
Finally, and potentially the most important strategy, institutions must offer regular information security education and training to students, faculty and staff. For example, in the report from Comparitech, unintentional information disclosures accounted for 27.3 percent of higher ed breaches, and the theft or loss of portable devices made up 14.7 percent. Those figures suggest that beyond shoring up sensitive data with digital fortifications, proper training in the handling of data – and physical technology – remains crucial. This also corroborates a study by IBM which found that human error is the main cause of 95 percent of cybersecurity breaches.
“I get asked a lot what the secret sauce to preventing breaches and getting ahead of the game on security risks is, but the reality is that there’s no secret sauce,” Nairn says. “It’s really about getting boots on the ground and developing a comprehensive security strategy where the responsibility for safeguarding systems and data extends beyond the IT department to everyone in the organization, from students and instructors up through the highest levels of leadership.”
Don’t wait until a data breach occurs to put an IT security strategy in place
Outside of the occurrence of something like a major breach, cybersecurity has not typically been on the radar of those at the highest levels of management at the institution. However, given the ever-evolving and increasing threat of cyberattacks, prioritizing a cybersecurity strategy is now fundamental to creating a more secure and financially stable future for higher ed.
If your internal IT team is feeling the strain, our information security experts at Collegis can help.