Educational institutions store a significant amount of sensitive data ranging from research to test documents to personal student information. While cybersecurity in the financial industry garners a substantial amount of attention, recent guidelines are also highlighting the vulnerability in the education sector. As schools incorporate more technology into classrooms and administrative offices, information security will become increasingly vital.
Is your information at your university protected? Learn about cybersecurity in education with our comprehensive guide.
Common Educational Cyber Attacks
When compared to the business sector, schools aren’t necessarily considered for-profit entities (although in many cases, they are). The resulting question is what do schools lose when an attack occurs? The answer varies depending on the type of attack. If a school is known for rigorous research and academic publications, a compromised network can greatly impact the reputability and integrity of the research. An attack may cause computer outages or cripple other tools used while teaching.
These types of attacks not only set students behind but also limit the type of education teachers can provide to students. Imagine trying to teach a programming class with glitchy, compromised computers! Needless to say, the consequences of attacks on educational institutions are different for universities but no less lethal. Between personal information, endowments, and groundbreaking research, universities hold a wealth of information threat actors want.
The Major Threats
Cyber threats to universities began around 2000, at least those that have been documented, and since then, the intensity and complexity of attacks have increased. The history of cyber attacks in the education industry shows that motivations for cyber attacks range from altering grades to stealing PII to rerouting scholarship money. Although new threats are emerging all the time, the following five threats are a continuous problem for universities.
Cloud Security – Many schools today use cloud-based platforms to connect with students to make the dissemination of teaching resources easier. However, if the cloud infrastructure is not hosted by the university, PII, financial data, or operational data may be stored on third-party servers. Additionally, all the IoT devices used in conjunction with the cloud further broadens the threat landscape. To evaluate your cloud security use the Higher Education Cloud Vendor Assessment Tool provided by the Higher Education Information Security Council (HEISC).
Distributed Denial of Service (DDoS) – Denying access to a school’s system and records can wreak mayhem on daily operations. DDoS attacks cripple a network by flooding the system with spam, information, etc. Utilizing firewalls and anti-virus software can help minimize the likelihood of a DDoS attack. Penetration testing will further identify gaps in a university’s system.
Malware – Ransomware, viruses, worms, and adware fall into the malware category. Requiring students to have up-to-date virus software on their devices prior to connecting to the university network is advisable. Malware can result in extortion, fraud, or stalled operations.
Phishing – Phishing emails are notorious. The difficulty in combatting them at universities comes when threat actors spoof legitimate university email accounts, making the address very similar to authentic ones. Consequently, students click on the links and allow the threat actor to enter the entire university email system. Awareness serves as one of the best ways to protect against phishing along with utilizing AI software that can identify fraudulent emails or alert users that the email comes from an outside account.
Unsecured Personal Devices – Every student has at least a phone and laptop, not to mention tablets and fitness trackers. Moreover, it’s not just students who bring their devices; professors, visitors, and foreign exchange students also bring their devices. The more devices, the more vulnerable the network becomes. Implementing monitoring controls and conducting regular risk assessments will help safeguard the wireless network.
Common Security Mistakes
Even though there is greater awareness of the threats universities face, the attack frequency on such institutions continues to increase. So what are universities doing wrong?
- Weak security controls – Universities today use a lot of technology, including dining hall apps to cloud-based tools. Depending on the size of the school, the number of security controls necessary can become overwhelming and result in poor or negligent implementation. Many times, schools add new technology but fail to expand their security protocols as well.
- Limited IT personnel – Budget allocations are coveted at universities. Every department wants more resources, which can lead to the depletion of the IT department. Without the proper staffing to monitor devices and networks, having security controls will only go so far in protecting personal and academic information.
- Human Error – If you’ve ever attended a university, you know that the admissions department and recruitment offices tend to leave their doors open. The goal is to create a welcoming environment that draws in potential new students. However, from a security perspective, such practices make information vulnerable. Other common mistakes that plague every industry include leaving passwords on sticky notes and clicking on malicious email links.
Cybersecurity Regulations for the Education Sector
The Readiness and Emergency Management for Schools Technical Assistance Center (REMS TA) published a report on cybersecurity concerns facing Institutions of Higher Education (IHEs). Hacking, malware, and unintended disclosures continue to raise the issue of cybersecurity within higher education. Several government regulations either focus on educational information security or include specific clauses addressing the sector.
FERPA – The Family Educational Rights and Privacy Act requires that students provide written consent prior to the releasing of any records and PII.
FISMA – Federal Information Security Modernization Act of 2014 falls under the e-Government Act. Although FISMA applies mainly to government agencies, it also applies to contractors and entities that collect or maintain any agency information. As some universities collaborate with agencies on research projects, it’s important that IHEs follow the National Institute of Standards and Technology’s (NIST) security controls.
GLBA – The Gramm-Leach-Bliley Act focuses on financial institutions; however, IHEs must also comply with the GLBA’s Safeguard Rule as these institutions deal with large inflows and outflows of money. The Rule addresses financial information and how to adequately protect it by assessing threats, preventing unauthorized access, and ensuring confidentiality. The Rule also requires the following:
- A designated employee to liaise between the IT department and financial office
- Assess internal and external risks
- Implement security controls and monitor those controls
- Review service providers to confirm proper security measures are in place
- Evaluate the effectiveness of controls and methods and, if necessary, remediate
HIPAA – The Health Insurance Portability and Assurance Act requires schools to protect student health information, whether it be insurance information or health issues while on campus. Just as a doctor’s office outside a school must comply with HIPAA, any medical center on campus falls under the same rules. For more information about HIPAA compliance, check out this guide on How to Keep Your HIPAA Compliance Efforts Up To Date.
HEA – The Higher Education Act requires IHEs to implement information security measures if they accept federal financial aid granted to students (Title IV). In other words, any financial information related to a student’s financial aid must be protected by adequate security measures.
The above legislation underscores how vital it is for educational institutions to invest in information security. Many of the requirements overlap, and one of the best places to start is the NIST cybersecurity homepage. Learn about the different recommended controls and then assemble a knowledgeable team to implement those controls. Ideally, this process should happen prior to a new school year before even more new information enters the system, but really, any time is better than no time at all. Another great resource is the HEISC, which started in 2000 with the goal of helping campuses improve their cybersecurity.
How to Improve University InfoSec
In 2017, news outlets reported that Chinese hackers infiltrated the systems of 27 universities across the US and Canada. Moreover, the DOJ released information on Iranian threat actors that ran a university phishing scam from 2013 to 2017 to obtain intellectual property. These attacks highlight how universities around the world face threats from within their own countries and from foreign groups.
So how have universities responded to these revelations? Unfortunately, not well. A 2018 Global DNS Threat Report found that higher educational institutions repeatedly fail to properly address cybersecurity risks and breaches. The report noted that approximately three-fourths of all universities take at least three days to resolve breach notifications. To improve cybersecurity preparedness today, use the following checklist below.
- Conduct a security audit – Areas to review include cloud platforms, data storage practices, email systems, infrastructure, employee training, and third-party security policies. If a university does not have robust cybersecurity or IT infrastructure or personnel, they should consider using a third-party auditor. During the auditing process, universities should review any past breaches and rank the threat likelihood for common university attacks.
- Consider the financial risk – University research plays a large role in funding. If a university loses sponsors or partners due to a damaged reputation, the financial fallout could be significant. Brainstorm what kind of attacks might occur and how those may impact the financial stability of your university. Also, it would be wise to allocate some funds for dealing with any future cybersecurity breaches, since it is highly likely that every university will experience at least one in the future.
- Create a cybersecurity framework – Just as in other industries that deal with PII, PHI, and intellectual property, universities should utilize the various new technologies and controls designed to protect information systems. This means security departments will have to do thorough research on what tools are available and which ones best suit the needs of the university. Any framework should be based on past attacks, if they occurred, or whichever attacks were ranked most likely during the auditing/review process.
- Compare your cyber program with others. – Is your program meeting the general minimum standards for university cybersecurity? Do your controls fall in the median range for the size and type of university? Comparing your university’s safeguards to those of other similar universities will help highlight your shortcomings or introduce you to new security tools/techniques in the educational industry.
FERPA and Educational Privacy
Just as HIPAA and other guidelines protect customer/patient information, the Family Educational Rights and Privacy Act (FERPA) serves as the educational equivalent, protecting every student’s right to privacy. As noted above, FERPA lists requirements for IHEs that receive government funding. FERPA limits the release of educational records and dictates record storage procedures. Students and parents possess the right to review any educational documents, and, if an error is found, petition for a correction.
When can a school release documents?
Educational records can only be released once a parent or eligible student provides written permission. However, there are exceptions to this rule including if a student is transferring, if an audit/evaluation is ongoing, if a study is ongoing for the school, for financial aid transactions, for the accreditation process, for health/safety emergencies, or for matters of the law.
Who must comply and what are the non-compliance consequences?
FERPA applies to all elementary, secondary, and post-secondary institutions that receive federal funding from the US Department of Education (US DOE). This mostly affects public and charter schools; however, some private schools also fall under the purview of the law. If these institutions or an employee fails to meet the FERPA standards, they may face suspension, termination, prosecution, or a loss of federal funding. To avoid employee FERPA violations, universities especially should invest in training programs for employees.
Cybersecurity in Education Resources
While FERPA covers student privacy regarding information storage and transfer, it does not identify which specific security controls to use. Rather, it vaguely requires “reasonable methods” for safeguarding student information. The US DOE runs a website for Federal Student Aid cybersecurity compliance, specifically targeting universities. The website provides information on relevant rules, tools, and documents. To begin mapping your cybersecurity landscape and determining which controls to implement, use the Cybersecurity Assessment Tool or the Unified Compliance Framework (free and paid accounts available).
Educational institutions hold a wealth of information, including valuable intellectual property and groundbreaking research. If you’re interested in learning more about cybersecurity for educational institutions or need assistance conducting a security review, contact RSI Security today.