Higher education institutions influence the business industry, defense industry, financial industry, and especially consumers. Moreover, they often partner with the government and private sector companies for research and funding. Wondering why colleges are often victims of cybersecurity attacks? Read on to learn more about higher education cybersecurity.
How Often Do Universities Get Attacked?
A 2017 report by the National Center of Education Statistics (NCES) estimated the higher education sector encompasses 20.4 million students and 1 million faculty. With this massive number of potential security targets, universities should take cybersecurity seriously. According to a Moody report, cyber-attacks at universities are on the rise, particularly when it comes to financial information.
Threats to Students
Students participate in much more than just classes while at college. They interact with peers, join clubs, network, and interview for jobs or internships. Throughout these processes, contact information, financial information, and personally identifiable information are exchanged. Everything from emails to relatives to addresses may be stored. Additionally, many students have on-campus jobs, which means universities store banking information. Consider what would happen to a student whose bank account information was stolen. They may only realize there was a breach when their university bills go unpaid, potentially holding back their enrollment process for a new semester. The scenarios are endless, but the bottom line is that students, in addition to universities, have a lot to lose.
EDUCAUSE, a research organization focused on information security for the education industry, reported in 2019 that approximately 85 percent of institutions require faculty training on security practices. However, these institutions fail to make students aware of the threats. Students often know their rights for privacy regarding their information, but they aren’t informed on how to recognize scams.
Who or What is the Biggest Threat?
Cybercriminals typically fall into five categories: organized crime, APT, insider threats, hacktivists, and script kiddies.
- Organized crime attacks usually involve money as the primary motivator. For example, a university may face a ransomware attack demanding payment in exchange for unlocking system access. Or, a group may be running an operation involving selling answer keys to students.
- An APT or advanced persistent threat tends to be more complex. APTs are often groups and not just an individual. These groups may be spies, political manipulators, or thieves. APTs enter a system, undetected, and lurk in systems for extended periods of time. The motivation may be money, but in many cases, sensitive data is the target. These types of attacks are particularly concerning for research universities that partner with high-profile businesses and government agencies.
- Insider threats do not always stem from malicious intent but involve an individual inside an organization. Likewise, disgruntled or fired employees have cause to harm a university. Consequently, make sure the credentials of past employees are canceled as soon as possible. Negligence may also result in a security breach and an employee may inadvertently cause a security incident by not following security procedures and best practices.
- Hacktivists are rarely motivated by money but rather promote a cause, like Climate Change or anti-pollution. For universities, hacktivism may manifest as a protest against university actions (like how the university uses its budget). Depending on the severity of the protest, hacktivism can severely impact a university’s operations.
- Script-kiddies tend to be young, such as high schoolers or college students. They are typically novices to the coding world. However, they like to appear more experienced and often use existing viruses or malicious code to cause trouble. College campuses are prime territory for script kiddies to thrive and join a global community of like-minded individuals. The problem is that script kiddies rarely think of the bigger picture, such as a virus going out of control. They are more interested in immediate impact with minimal effort. Consider if a student becomes upset with a professor. He or she may turn to the script kiddie community to wreak a bit of havoc on the professor or school just out of spite. The key differences between script kiddies and other hackers are their minimal experience, often juvenile motivation, and lack of patience.
Why Are Universities Attacked?
Universities have critical times during the year — orientation at the start of a new academic year and the early spring when they begin recruiting next year’s freshman class. During these times, universities are particularly vulnerable and any attack may be extremely debilitating, costing the university money and its reputation. In August 2019, Regis University in Denver experienced an attack that took out phones, email, and the internet at the start of the year. But why are universities attacked? As noted above, each type of attacker has different motivations for targeting an educational institution, but what a university has may determine whether it is overlooked or not. The targeted categories below underscore why universities must invest in a cybersecurity action plan.
Student Information – Universities collect and store personal data regarding a student’s hobbies, past education, family, and contact information. Moreover, students authorize universities to access Personal Health Information (PHI). Once enrolled, student grades, classes, rosters, and sometimes papers are stored by universities. While it’s frustrating to have so much information in the hands of another entity, it’s understandable why universities need the information. They need it not only for general operations but also for metrics and surveys. Using student attributes enables colleges to better target potential students. Students’ residencies, social security numbers, and other PII is vulnerable if a university collects, stores, or transmits that information improperly.
Banking Information – Universities deal with a plethora of financial data from government loans to independent scholarships to work-study positions. Parent, student, and government account information must be stored to enable smooth financial transactions. However, it also means universities must be safeguarding that information by the regulatory standards of any applicable entities (e.g., NIST), whether it be federal or state, or private contracts.
Proprietary Research – Many of the top universities partner with government agencies, tech companies, and healthcare companies to study groundbreaking subjects. Whether it be finding a cure for cancer or developing intelligent robotics, universities store proprietary information. As a result, universities may face legal repercussions if that valuable information is not protected by the partner’s standards. Foreign governments and business rivals are particularly interested in such research.
Connections – As noted above, many universities partner with well-known businesses and government agencies. This means employees or students have contacts within those organizations. Why is this a concern? It offers a point of entry for a threat actor. For example, a threat actor may use an unsuspecting student who is interning at a tech company to infiltrate that high-profile target.
How to Combat Cyber Attacks in Higher Education
Unauthorized disclosure of information can cause irreparable damage to a university’s reputation. Below are three methods for safeguarding student information as recommended by EdTech magazine.
- Not all information needs to be stored. The formal term is minimization. Universities should take stock of what information is necessary and what information just gets collected as a by-product. Basically, instead of using a fishing net to collect information (and other unwanted detritus), use a fishing rod. Minimizing data collection means that if the university doesn’t have it, it can’t be at risk, meaning lower risk of liability. For example, social security numbers (SSNs) used to be the primary identifier for students/parents at schools. However, the new practice of creating a unique identifier for the accepted student negates the necessity of storing SSNs.
- If you don’t need it, get rid of it. Purging data means removing data that is no longer relevant. Again, this reduces the scope of an attack if one occurs. For example, what is the retention policy for alumni data? Different types of data will likely have a different retention period depending on the nature of the information. For example, grades may be kept, but a graduate’s disciplinary record (except for severe cases) is not necessary. If information is only used for validation, delete the information once the point in question is validated (e.g., residency for a school district). Each university will implement a different retention policy, but the important thing is that a plan is in place.
- Implement security controls – Controls aren’t just technical, they can also be administrative in nature. On the technical side, universities should utilize encryption to protect data at rest and in transit. In order to efficiently apply encryption, universities must take stock of where sensitive data is stored or how it is transmitted. Additionally, the type of encryption should correlate with the sensitivity of the data. The more sensitive the data, the higher the level of encryption. The encryption type will also vary depending on how the data is stored. For example, grades are often stored on a cloud-based platform. If sending sensitive information to students or parents, universities should use an encrypted email.
Cybersecurity Regulations for Universities
In 2016, the federal government announced that new cybersecurity regulations would be applied to universities. Specifically, higher education institutions would need to comply with the National Institute of Standards and Technology (NIST) Special Publication 800-171. The regulation addresses how to deal with sensitive unclassified information. At the time, Joanna Lyn Grama, director of cybersecurity and IT GRC programs at EDUCAUSE, noted:
“Simply put, the evolving higher education threat landscape and very complex regulatory environment mean that ad-hoc approaches to data management and protection are no longer adequate and formalized information security programs, based on recognized frameworks and responsive to specific regulations, are required.”
In many cases, universities know the risks but fail to implement the needed procedural and technical changes necessary to protect sensitive information. Having more structured guidelines, like those provided by NIST, provide universities with a good stepping stone to strengthen their cybersecurity policies.
Although NIST’s guidelines initially targeted government agencies, the organization suggests that universities approach the framework through an enterprise risk lens. Additionally, colleges must inform employees, especially professors, that the new regulations are not designed to inhibit the free flow of knowledge ( a cornerstone of education) but are rather focused on safeguarding the integrity of such information. In other words, perspective matters because it changes how cooperative people are and how successful a cybersecurity program will be.
Privacy Laws Pertaining to Universities
Federal law grants parents and students the right to opt-out of providing their SSN. Furthermore, educational institutions cannot deny education to students who choose to use this right. The Family Educational Rights and Privacy Act (FERPA), passed in 1974 and updated since seeks to protect students’ records. Universities must protect the privacy of information whether it be health-related (HIPAA) or academic information. Disclosures must be noted and students can request their records and how their information is used. FERPA applies not just to universities but also to school districts and agencies. In order for universities to follow these laws, they need to know what information they have and where that information is at all times. A sound cybersecurity plan will assist greatly in protecting and organizing the data handling process.
At a Glance Higher Education Cybersecurity Checklist
- Assemble a team of academics, administration, and research individuals who will bring many perspectives to the table when developing a cybersecurity plan.
- Take stock of what information is collected and stored as well as which departments need what information.
- Conduct a risk analysis to estimate the impact of potential attacks. This will help identify what information or systems are critical. A third party may assist during this step to reduce the resources necessary or to obtain an objective perspective.
- Understand the compliance challenges including organizational change management, training, end-user adoption, and process controls.
- Review NIST’s cybersecurity framework and identify what requirements apply to your university and the necessary scope of implementation.
- Delegate responsibilities during the implementation process.
- Bring in a third party to assess the cybersecurity plan and review its effectiveness.
Students and parents expect privacy and security when it comes to their information. While many universities acknowledge the threats, few take proactive approaches to protecting their data. Do you need help assessing your institution’s cybersecurity awareness or security plan effectiveness? If yes, or if you are simply interested in learning about methods to better protect your information, contact RSI Security today for a consultation.