He also notes that in recent years, attacks focused on compromising business email and attacks via software or hardware vulnerabilities have outpaced malware. Meanwhile, recent advancements in tools such as generative AI have made it easier for attackers to write code. As a result, malicious actors can put in minimal effort and still see success.
And while colleges and universities don’t offer the same potential financial windfalls as targets such as banks, law firms or healthcare organizations, they often lack the IT and cybersecurity budgets to create an effective defense against malware efforts.
How Do Attackers Gain Access to Higher Ed Networks?
As noted above, one common method of attack is to use existing vulnerabilities, either known or unknown. In the case of a known vulnerability, a higher ed IT department may simply lack the time and resources to patch the problem, especially if doing so could result in potential system downtime. When it comes to unknown or zero-day exploits, meanwhile, institutions may find themselves under threat with little to no warning.
Despite these risks, however, Potchanant makes it clear that people remain the most likely path to compromise.
“Data from EDUCAUSE and the industry, such as the Verizon Data Breach Investigations Report, show that the majority of compromises occur due to a ‘human element,’” he says. “This is most likely done by social engineering with phishing or website redirects that mimic a legitimate website, which allows attackers to pass the credentials to the legitimate site and steal the password when the user enters their credential. The user is none the wiser because they were able to access exactly what they thought they were trying to access.”
Using What You’ve Got: How Higher Ed Can Fight Back
While rising attacks are worrisome for post-secondary schools — a recent EDUCAUSE article notes that cybersecurity attacks are becoming more sophisticated — schools have a built-in defense against these attacks: education.
“As cybersecurity attacks become more sophisticated, user education must try to keep pace,” Potchanant says. “Removing the stigma or embarrassment from reporting a phishing attack to your IT or cybersecurity department is crucial to gaining trust with your user community.”
By giving students and instructors the tools and training they need to identify and report attacks, and by ensuring that they’re encouraged to report these attacks whenever possible, colleges and universities can reduce the risk of attacks that make their way undetected through their networks.
Potchanant also notes that while user training is important, “those of us in IT and cybersecurity cannot expect every user to be an expert.”
As a result, schools must also deploy solutions capable of automatic URL scanning for embedded email links and use tools such as multifactor authentication that make it more difficult for attackers to gain access.
“It’s like having two separate keys to a safe,” Potchanant says. “The chances of a bad actor gaining access to both keys is lower than just one.”
The bottom line? Malware in higher education is growing. With an education-focused approach, however, IT teams can reduce their total risk.