Top 5 Cybersecurity Concerns for Higher Education
Higher education institutions have embraced technological advancements to enhance the learning experience, streamline administrative processes, and foster collaboration. However, with the growing reliance on technology comes an increased risk of cyber threats. Cybersecurity has become a paramount concern for these institutions, as they handle vast amounts of sensitive data that includes personally identifiable information (PII), electronic protected health information (ePHI), research data, and intellectual property. In addition to wanting protect the data they possess, colleges and universities across the United States are also subject to the Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information (better known as the Safeguards Rule). In this blog post, we will explore the top 5 cybersecurity concerns faced by higher education institutions and discuss the measures they can take to mitigate these risks.
Ransomware
One of the most pressing cybersecurity issues faced by higher education institutions is the risk presented by ransomware, which has only been increasing according to studies performed by Sophos. The results indicate that 64% of responding higher education institutions were hit by ransomware in 2021, up from 44% the previous year, while being the least able sector to prevent data from being encrypted during an attack. The risk of ransomware is comprised of both an inability to operate due to the denial-of-service effects when your data is encrypted and elements of a data breach, as data that is encrypted is increasingly becoming exfiltrated simultaneously to allow for double-extortion ransomware schemes.
While many of the elements of this concern overlap with general network security, its rise in prevalence and potential impacts makes it important enough to draw attention to on its own. The preventative actions noted below are also a good starting point to help prevent an initial infection. But equally important is the need to have effective detection and logging mechanisms in place to respond to an ongoing incident, solid data back-ups including at least one back-up location that is “offline” or not connected to your network (e.g., an air-gapped drive or cloud-based software), and a strong incident response process that has been tested.
Network Security Vulnerabilities
Higher education institutions often operate massive networks, by comparison to other verticals of private institutions, that contain a wide variety of devices, systems, and software. This creates a wide attack surface for threat actors from both the open Internet and from within the university network, as initial access can be trivial due to heavy student usage. Network security vulnerabilities, such as unpatched software, device misconfigurations, and weak passwords, can be exploited by malicious threat actors to gain unauthorized access to the network or escalate their privileges from within the network. This can ultimately lead to ransomware infections, sensitive data theft/exfiltration, or denial-of-service attacks, among other things.
To bolster network security, institutions should consider a number of first steps from a “preventative” perspective, including:
- Centralizing employee authentication systems, where possible, and enforcing strong password policies with multi-factor authentication (MFA).
- Implementing device hardening practices that leverage best practice benchmarks to configure systems prior to placing them into production.
- Conducting regular patch management for all network devices, workstations, and servers.
- Network segmentation to restrict traffic flows between disparate subnets/VLANs.
- Annual penetration testing and monthly/quarterly vulnerability scanning can help proactively identify and address weaknesses in these areas.
Social Engineering
Phishing attacks and social engineering remain among the most common cyber threats faced by higher education institutions, with 74% of all cybersecurity attacks across all sectors last year relying on the human element per Verizon’s Data Breach Investigations Report (DBIR). Cybercriminals often craft very convincing emails to trick staff into divulging sensitive information directly, entering their credentials into spoofed websites, or executing malware on their workstations. Since higher education institutions often interact with numerous stakeholders, many of which are external to the organization, they become attractive targets for these types of attacks.
Possibly the most challenging area to address, institutions should invest in increasing their resilience to social engineering attacks over time. Technology such as spam filters, advanced antivirus/EDR/XDR solutions, MFA enforcement and strict firewall filtering (e.g., domain reputation-based filtering) can help reduce the effectiveness of many types of phishing. Most importantly, regular security awareness training sessions to educate users about how to identify, resist, and report suspicious emails and phone calls is key.
Data Breaches – Privacy Data, Intellectual Property, and Research Data Protection
Higher education institutions collect and store a plethora of sensitive information, such as student records, financial data, and research-related data. A successful breach could lead to devastating consequences, ranging from identity theft and financial fraud to reputational damage and loss of research funding. Ensuring data privacy requires maintaining a robust data security posture.
Protecting from data breaches at a higher education institution is really synonymous with employing an overarching information security program. To address this concern, institutions should maintain an information security program that includes a mixture of strategic and tactical assessments to measure its effectiveness and improvements over time. Annual best practice gap assessments can help provide insights to the areas where your current security program is falling short and areas of improvement with the highest return-on-investment from a security perspective. Additionally, tactical assessments like penetration testing should be performed on at least an annual basis to evaluate how effective the security controls you think are in place really are, identifying an shortcomings before real threat actors can take advantage of them.
Research departments and associated programs need to be considered and included as part of the information security program and assessments, even when access controls and the principle of least privilege can be seen as hurdles or interrupters for the progress and goals of academic research. Cybersecurity should facilitate business processes while reducing risk, such that they can operate uninterrupted, not hinder operations.
Compliance Risk
Last but not least is the associated compliance risk with not maintaining a cybersecurity program. While potentially less impactful than a data breach or successful phishing attack, failing to comply with industry regulations (like the Safeguards Rule) and general security best practices can cause issues, as well. Failure to comply with the Safeguards Rule and maintain a “reasonable” information security program can result in fines of up to $100,000 per occurrence. Non-compliance could also have other “indirect” effects on the institution, such as failing to qualify for federal funding, contracts, or research grants. Additionally, qualifying for things like cyber insurance often has similar base requirements when it comes to your information security program.
Ultimately, if for no other reason than making compliance a non-issue, maintaining a cybersecurity program within your college/university is extremely important. More importantly though, a robust information security program can help prevent much bigger problems before they happen, such as data breaches affecting student PII or research data. By investing in technology, resources, and regular evaluation of security controls, higher education institutions can stay in front of many common security issues and make these top 5 cybersecurity concerns less concerning!
