Last month, Progress Software announced that its popular file-transfer tool MOVEit was compromised by cybercriminals. The breach gave the attackers “unauthorized access to the MOVEit transfer database,” putting many large, sometimes sensitive files sent through the platform at risk.
For colleges and universities that used MOVEit, including Johns Hopkins University, the attack triggered a campuswide security response. The university included a warning that “thousands of large organizations” were affected by the breach and that the incident “may have impacted sensitive personal and financial information” belonging to students, faculty and staff on campus.
What’s worse, even colleges that didn’t use MOVEit or partner with Progress Software may have had their data compromised. For example, the MOVEit breach affected three of Washington State University’s partners — the National Student Clearinghouse, the Teachers Insurance and Annuity Association and UnitedHealthcare — which put WSU data at risk.
While higher education institutions remain frequent targets of direct attacks from cybercriminals, the MOVEit incident highlights the interconnectedness of our technological world and the underappreciated threat known as third-party risk. Every individual, every piece of software, every Internet of Things device and so much more all present a pathway for attackers to indirectly obtain the valuable, sensitive data they’re after.
How Significant Is Third-Party Risk in Higher Education?
The only way to fully protect an institution from third-party risk is to keep every third party off a college network — which, of course, is impossible. Just consider the countless tools instructors use regularly, including learning management systems and collaboration software, and the third parties that provide services such as and enhanced cybersecurity offerings to university IT departments.
Setting all that aside, any student, faculty member, administrator or staff member connecting to the campus network is still introducing any number of other third parties to the, well, party. Even someone signing up for a third-party service using their university-issued email account makes the network vulnerable to the effects of a third-party breach.
“Depending on the integration of application programming interfaces or other technologies, an institution’s third-party software may require accounts of the university network in order to communicate,” says Joseph Potchanant, director of the cybersecurity and privacy program at EDUCAUSE. “Any compromise to the third-party software, in turn, may give attackers a privileged gateway into the university’s system.”
“It is entirely possible that a breach within a third party may pose a direct risk to the university,” he continues. “Third-party exposure may include sensitive information regarding contracts, contacts and details that could create an opportunity for other direct attacks on the university network.”
Those could be phishing or other email attacks that could trigger ransomware incidents, Potchanant says.
READ MORE: Should higher education be worried about the future of cyber insurance?
The ubiquity of third-party influence extends beyond higher education, and so does the real threat of a network breach via an outside vendor. A recent study from the Cyentia Institute found that a staggering 98 percent of the 230,000 organizations it analyzed had a relationship with a third-party vendor that had suffered a breach in the past two years.
Third-party risk has become a significant enough concern that the Department of Education earlier this year issued guidelines for higher education institutions regarding their relationships with third-party vendors, building on existing, broadly applicable regulations previously issued by the Federal Trade Commission.
How Can Higher Ed Protect Itself from Third-Party Risk?
Thankfully, as awareness of third-party risk has risen, IT leaders and cybersecurity experts have also become more adept at defending against the threat.
One helpful tool specifically designed to vet outside vendors is a third-party risk management solution that sets up a series of key performance indicators and judges how well vendors are addressing them. For higher education in particular, where colleges and universities are likely to be welcoming multiple third parties onto their networks, an integrated risk management solution that analyzes the deep pool of vendors wholistically might be an even better answer.
In addition, implementing policies such as requiring a rom third-party vendors gives institutions visibility into those tools and aids in network defense when an attack is attempted. Network segmentation and privileged access management — two steps on the road to zero trust — can also help secure the mountains of data that institutions collect, and are more generally part of good overall cyber hygiene.
Failing to have good cyber hygiene and a clear vision into the network puts colleges and universities at risk, including from third-party tools, especially if institutions aren’t managing their data effectively.
“Robust data governance and proper data auditing play a key role in protecting the privacy and security of your constituents,” Potchanant says. “Without it, a university would be unaware of how much of its own data has been exposed in a third-party data breach.”
There are great cyber defense policies and practices available to minimize the risk an institution accepts, including third-party risk management, privileged access management and network segmentation. However, experts like Potchanant stress a comprehensive approach rather than relying on a single tool. Practicing good cyber hygiene is an ongoing challenge, and educating students, faculty and staff on safe cyber practices is the only way to maintain network security, as those users are frequently the first line of defense.
Click the banner below to receive exclusive cybersecurity insights by becoming an Insider.
What Should Higher Ed Institutions Do After a Third-Party Data Breach?
In the event that an individual user makes a mistake, even one that potentially compromises the network, Potchanant says it’s crucial to quickly move beyond what caused the intrusion and concentrate on fixing it.
“It is more important to focus on user impact than assigning blame,” he says. “While the cause of the data breach — internal versus external — is important, the most important perspective an institution will focus on is that its data was exposed. The investigation stage will reveal the root cause of the incident, next steps, how it affects insurance claims and the future of the relationship with the third-party vendor.”
Once the threat has been mitigated, institutions will still be connected to third-party vendors and must stay vigilant against that risk.
The Higher Education Community Vendor Assessment Toolkit, developed by the Higher Education Information Security Council at EDUCAUSE, is a questionnaire designed for colleges and universities to analyze their relationships with outside vendors. It is one way to investigate vendors before their third-party tools appear on campus.
Beyond that, Potchanant recommends taking a look at data collection and storage practices. Institutions should maintain only the data they need to — either by law or because of internal best practices — to shrink the amount of information at risk of attack.
“If you don’t need certain data, then don’t keep it,” he says. “Hoarding of data only increases the risk when a breach of some kind occurs.”
