The Dark Cybersecurity Threat Facing Universities
A look at Microsoft’s Global Threat Activity Tool may surprise you. In the past 30 days, the education industry has reported more malware encounters than any other industry. With nearly 6 million threats in the education sector alone, the retail and consumer goods sector trails far behind with less than 640,000 incidents. But why on earth would hackers target educational institutions, especially universities?
Universities and colleges are easy targets. As early adopters of computers and the Internet, many higher education institutions still maintain legacy computers and infrastructure that limits the implementation of adequate cybersecurity. While shared USB drives, weak passwords and email attachments have long been entry points into university networks, the pandemic-induced rush to distance learning has intensified the challenges of cybersecurity. BYOD (Bring Your Own Device) policies, disruptive class bombings, and flaws in open source learning platforms have left universities more vulnerable than ever.
Soft targets aside, the most compelling reason is Data.
Research data is valuable data
Universities house massive amounts of data. Only student records contain personal, medical and financial information. Data collected by research universities in partnership with government agencies such as NASA, the National Institutes of Health and the military are particularly sensitive. A breach of the university could conceivably compromise national security.
Sounds far-fetched? Some of the most prestigious universities in the United States have been victims of cyberattacks, some by Russian bad actors. Cornell University, New York University, and University of California, Berkeley each suffered a significant cyberattack. Howard University saw over 80,000 patient records breached in a ransomware attack. And Lincoln College, a 157-year-old HBC that endured the 1918 flu pandemic but struggled to enroll during the early days of COVID-19, closed after a ransomware attack in December 2021.
Unsurprisingly, phishing emails remain the most common cyberattack method. After all, why change a proven tactic? Malicious actors spread a large network of phishing emails, hoping for a random click to deploy malware that will capture passwords, usernames, and social security numbers. But stealing a CVV credit card is often a warm-up. Get to valuable information is the goal, even if it takes time. A little data here and there can result in a treasure trove of information – and hackers are playing the long game.
A myriad of regulations and compliance frameworks
Universities must comply with many regulations, including the Family Educational Rights and Privacy Act, Title IX, Title VI, Americans with Disabilities Act, Section 504, HIPAA and Freedom of Information Act. In addition to student enrollments, grants, and financial transactions, universities need to manage third-party, vendor, and contractor risk. Security and compliance frameworks help universities protect critical data and manage risk, but add complexity to coordinated cybersecurity efforts.
The reality of the spreadsheet
Universities often prioritize athlete and donor requests over cybersecurity, leaving IT departments to rely on spreadsheets to track security and risk, creating huge headaches for teams computers. At first glance, spreadsheets make sense: rows and columns of approvals, authorizations, categorizations, and reconciliations can be quickly sorted and even viewed by some spreadsheet applications. Spreadsheet reality, however, is radically different. At best, multiple stakeholders from other departments or colleges in the university system make updates directly to a shared spreadsheet. But a single “Save As” can set off a chain reaction of duplication and inaccuracy. The burden on IT teams to compare rows, cells, and sheets to ensure a single source of truth creates unnecessary work, leading to employee fatigue and burnout. And with each spreadsheet iteration comes an additional margin of error. More importantly, it’s a woefully inadequate defense against cybercriminals.
Viable options exist to manage cyber risk without significant investment. A compliance operations platform can manage cybersecurity evidence collection and monitor controls through automation and analytics. Accelerated vendor risk assessments and controls mapped to specific risks help IT teams manage critical cybersecurity issues more effectively. Although bad actors are the aggressors in an attack, universities are ultimately responsible for securing their networks and should carefully evaluate platforms for customizations, features, complexity, and scalability. Ultimately, the goal is to reduce the risk of cyberattacks, which can lead to data breaches, reputational damage, financial loss and operational disruption. An adequate and well-planned cybersecurity strategy is essential to the continued success of universities and colleges.
Critical infrastructure, critical data
The universities are critical infrastructure, being “so vital to the United States that the incapacitation or destruction of these systems and assets would have a debilitating impact on national security, national economic security, national public health or safety, or any combination thereof” . They educate, develop and produce scientists, doctors, economists, historians and engineers. Universities contribute to technological innovations, space exploration and the advancement of society. But even when they are most secure, universities are vulnerable targets for cyberattacks due to the amount of valuable data they retain. Universities must prioritize actionable cybersecurity strategies to face the future on its terms. If cybercriminals aren’t shy about influencing a presidential election, they won’t hesitate to step up their efforts to steal some of the world’s most sensitive data.
*** This is a syndicated blog from the Security Bloggers Network of hyperresistant written by Libbi Bosworth. Read the original post at: https://hyperproof.io/resource/cybersecurity-threat-facing-universities/