Setting all that aside, any student, faculty member, administrator or staff member connecting to the campus network is still introducing any number of other third parties to the, well, party. Even someone signing up for a third-party service using their university-issued email account makes the network vulnerable to the effects of a third-party breach.
“Depending on the integration of application programming interfaces or other technologies, an institution’s third-party software may require accounts of the university network in order to communicate,” says Joseph Potchanant, director of the cybersecurity and privacy program at EDUCAUSE. “Any compromise to the third-party software, in turn, may give attackers a privileged gateway into the university’s system.”
“It is entirely possible that a breach within a third party may pose a direct risk to the university,” he continues. “Third-party exposure may include sensitive information regarding contracts, contacts and details that could create an opportunity for other direct attacks on the university network.”
Those could be phishing or other email attacks that could trigger ransomware incidents, Potchanant says.
READ MORE: Should higher education be worried about the future of cyber insurance?
The ubiquity of third-party influence extends beyond higher education, and so does the real threat of a network breach via an outside vendor. A recent study from the Cyentia Institute found that a staggering 98 percent of the 230,000 organizations it analyzed had a relationship with a third-party vendor that had suffered a breach in the past two years.
Third-party risk has become a significant enough concern that the Department of Education earlier this year issued guidelines for higher education institutions regarding their relationships with third-party vendors, building on existing, broadly applicable regulations previously issued by the Federal Trade Commission.