Cyber Security for Higher Education: What Colleges & Universities Need to Know
Institutions of higher learning don’t just disseminate knowledge, they store it. Extensive data repositories hold proprietary information about vital scientific and academic research (some of it under contract to businesses and government). And then there’s the billions of pieces of personally identifiable information for students, faculty, staff, family members, patients and research participants that are held by the world’s institutions of higher learning.
Every bit of it is valuable to the institution, but we must recognize, also to cybercriminals and nation states.
Sure, it sounds like the latest Netflix series, but data protection and cybersecurity are very real issues for CISOs and CIOs at campuses large and small all over the United States and the world.
“Universities and colleges generally operate on the open campus model, and one core principle they have is free and open dialog and information exchange,” explains Mimecast cybersecurity expert Matthew Gardiner. “They often operate in the public domain, they share research, invite visiting speakers and professors. So campuses are often very porous communities by design that can’t be excessively locked down from a security point of view. Yet they are absolutely dependent on their IT systems, including email and their data archives. Institutions of higher learning often also are gigantic communities, the size of cities, all of which makes them really good targets for cybercriminals.”
Cyber Attacks and Data Breaches in Higher Education
Cyber threats to higher education include phishing, W-2 scams, ransomware attacks, data breaches and DDoS attacks. Here are a few recent incidents from some US institutions:
- Boston University: WannaCry ransomware attack
- College of Southern Idaho: W-2 scam affecting records for 3,000 seasonal and auxiliary employees
- Daytona State College: W-2 scam and a data breach involving financial aid records (numbers not reported)
- Los Angeles Valley College: Ransomware attack prompted a $28,000 bitcoin payment to cyber thugs who took over the campus email system and computer network
- Rutgers University: Multiple DDoS attacks
- University of Alaska: Phishing scam led to a breach of 25,000 students, staff, and faculty records
Cyber attacks can come at a high price. Ponemon’s 2017 Cost of Data Breach Study estimates the average cost per compromised record in U.S. higher education at $245. And every one of these security issues put universities and colleges at risk of being out-of-compliance with a raft of regulations, including FERPA, HIPAA, HITECH, COPPA, and PCI DSS.
These incidents illustrate why CISOs and other administrators must acknowledge that their institutions are being specifically targeted.
“These hackers are not kids in hoodies, they are not a ‘400-pound man who lives in his parent’s basement’ -- they are educated, organized, and well-funded enterprises,” warns Jason McNew, a certified information systems security professional and CEO of Stronghold Cyber Security. “Security is a cost center, so executives need to understand these threats and give CISO’s the financial resources they need for cybersecurity.”
Improving Information Security for Higher Education
Protecting campus email systems and vast data files and archives requires a multi-pronged approach to cybersecurity and data protection. Cybersafety and security are fundamental for every institution. To safeguard networks, CISOs should:
- Start with culture. “Work on building a culture of security that is similar to the culture of safety that you already have,” McNew says. “Train your users on security, put security posters up next to the safety posters, do security drills. I say this because technology is like a moat, but people and policies are what really make the castle.” Learn more about how to get everyone involved in cybersecurity.
- Assess security threats. Unless you’ve done one recently, perform a full data security audit to prevent cyber attacks. This helps you understand your threats from nefarious hackers and internal “oops” leaks of data. The audit should include technology infrastructure, organizational policies, and user training. While your on-campus staff could complete the audit, you may be better served by working with an outside expert so your team can stay focused on day-to-day tasks and you can leverage the experience of people that do these types of assessments regularly.
- Optimize technology. Of course, you must stay current on security patches and updates, but a formidable layer of technology-based protection requires more. Installing cloud-based email security and archiving solutions is crucial to fortifying your defenses. So many attacks these days are email-borne. Institutions working on government research, or specializing in engineering and technology “need a cybersecurity program that is probably similar to what a defense contractor like Lockheed Martin would have,” McNew notes.
- Strengthen the cybersecurity plan. Based on the audit’s findings, upgrade your cyber security plan – including a review of your requirements, activities and data classifications. Experts recommend the robust criteria outlined in the National Institute of Standards and Technology (NIST) cybersecurity framework. The plan should include technology deployments for data security and threat response and resilience; stronger credentialing for administrator roles; schedules for testing and drills; and training for students, staff, and faculty – after all these are institutions focused on learning!. Get tips for planning cybersecurity training.
Training all members of the campus community, redesigning policies and creating a strong ring of technological protection are the best ways to increase information security for higher education. Use this advice to get started.
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly
Take me back to the article please