Higher education institutions and collectively the education industry have embraced technological advancements to enhance the learning experience, streamline administrative processes, and foster collaboration. However, with the growing reliance on technology comes an increased risk of cyber threats making higher education institutions prime targets.
Cybersecurity has become a paramount concern for higher education institutions, as they handle vast amounts of sensitive data. This includes personally identifiable information (PII), electronic protected health information (ePHI), research data, and intellectual property. In addition to wanting to protect the data they possess, colleges and universities across the United States are also subject to the Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information (better known as the Safeguards Rule).
In this blog post, we will explore the top 5 cybersecurity concerns faced by higher education institutions and discuss the measures they can take to mitigate these risks.
One of the most pressing cybersecurity issues faced by higher educational institutions is the risk presented by ransomware, which has only been increasing according to studies performed by Sophos. The results indicate that 64% of responding higher education institutions were hit by ransomware in 2021. This is up from 44% the previous year. While simultaneously being the least able sector to prevent data from being encrypted during an attack.
The risk of ransomware is comprised of both an inability to operate due to the denial-of-service effects when your data is encrypted, and elements of a data breach, as data that is encrypted is increasingly becoming exfiltrated which allows for double-extortion ransomware schemes.
While many of the elements of this concern overlap with general network security, its rise in prevalence and potential impacts makes it important enough to draw attention to on its own. The preventative actions noted below are also a good starting point to help prevent an initial infection.
Equally important is the need to have effective detection and logging mechanisms in place to respond to an ongoing incident, solid data back-ups including at least one back-up location that is “offline” or not connected to your network (e.g., an air-gapped drive or cloud-based software), and a strong incident response process that has been tested.
2. Network Security Vulnerabilities
Higher education institutions often operate massive networks. This creates a wide attack surface for threat actors from both the open Internet and from within the university network, as initial access can be trivial due to heavy student usage.
Network security vulnerabilities, such as unpatched software, device misconfigurations, and weak passwords, can be exploited by malicious threat actors to gain unauthorized access to the network or escalate their privileges from within the network.
This can ultimately lead to ransomware infections, sensitive data theft/exfiltration, or denial-of-service attacks, among other things.
To bolster network security, institutions should consider a number of first steps from a “preventative” perspective, including:
- Centralizing employee authentication systems, where possible, and enforcing strong password policies with multi-factor authentication (MFA).
- Implementing device hardening practices that leverage best practice benchmarks to configure systems prior to placing them into production.
- Conducting regular patch management for all network devices, workstations, and servers.
- Network segmentation to restrict traffic flows between disparate subnets/VLANs.
- Annual penetration testing and monthly/quarterly vulnerability scanning to help proactively identify and address weaknesses in these areas.
3. Social Engineering
Phishing attacks and social engineering remain among the most common cyber threats faced by higher education institutions.
According to Verizon’s Data Breach Investigations Report (DBIR), 74% of all cybersecurity attacks across all sectors last year relied on the human element. Cybercriminals often craft very convincing emails to trick staff into divulging sensitive information directly, entering their credentials into spoofed websites, or executing malware on their workstations.
Since higher education institutions often interact with numerous stakeholders, many of which are external to the organization, they are attractive targets for these types of attacks.
As this is possibly the most challenging area to address, institutions should invest in increasing their resilience to social engineering attacks over time. Technology such as spam filters, advanced antivirus/EDR/XDR solutions, MFA enforcement, and strict firewall filtering (e.g., domain reputation-based filtering) can help reduce the effectiveness of many types of phishing.
Most importantly, regular security awareness training sessions to educate users about how to identify, resist, and report suspicious emails and phone calls is key.
4. Data Breaches – Privacy Data, Intellectual Property, and Research Data Protection
Higher education institutions collect and store a plethora of sensitive information, such as student records, financial data, and research-related data. A successful breach could lead to devastating consequences, ranging from identity theft and financial fraud to reputational damage and loss of funding. Ensuring data privacy requires maintaining a robust data security posture.
Protecting from data breaches at a higher education institution is synonymous with employing an overarching information security program. To address this concern, institutions should maintain an information security program that includes a mixture of strategic and tactical assessments to measure its effectiveness and improvements over time.
Annual best practice gap assessments can help provide insights to the areas where your current security program is falling short and areas of improvement with the highest return-on-investment from a security perspective.
Additionally, tactical assessments like penetration testing should be performed on at least an annual basis to evaluate how effective the security controls you think are in place really are, identifying an shortcomings before real threat actors can take advantage of them.
Be sure to include research departments and associated programs as part of the information security program and assessments. Cybersecurity should facilitate business processes while reducing risk, such that they can operate uninterrupted, not hinder operations.
5. Compliance Risk
Last but not least is the associated compliance risk with not maintaining a cybersecurity program. While potentially less impactful than a data breach or successful phishing attack, failing to comply with industry regulations (like the Safeguards Rule) and general security best practices can cause serious issues.
Failure to comply with the Safeguards Rule and maintain a “reasonable” information security program can result in fines of up to $100,000 per occurrence.
Non-compliance could also have other “indirect” effects on the institution, such as failing to qualify for federal funding, contracts, or research grants. Additionally, qualifying for things like cyber insurance often has similar base requirements when it comes to your information security program.
A robust information security program can help prevent much bigger problems before they happen, such as data breaches affecting student PII or research data.
By investing in technology, resources, and regular evaluation of security controls, higher education institutions can stay in front of many common security issues and make these top 5 cybersecurity concerns less concerning.
To learn how SIG can help your higher education institution address these five (and other) top cybersecurity concerns, please contact us today.
About the Author:
JR, Director of Penetration Testing at SIG, holds a BS in Computer Science Engineering from the University of Florida and a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology. JR is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.