Cyberthreats are getting worse. Sixty-two percent of organizations surveyed said they had experienced a security breach or a near breach in the previous six months, according to “The Cybersecurity Insight Report” published earlier this year by CDW.
And while industries such as finance, health and retail often top cyber hit lists, postsecondary schools are increasingly under threat.
As noted by The Washington Post, three private universities recently had their student admissions data compromised, while students at Regis University just arrived back at campus and discovered the entire IT infrastructure offline while staff dealt with an “external malicious threat that likely originated outside the country,” according to the Rev. John P. Fitzgibbons, university president.
This is the new normal for cybersecurity: Attackers aggressively testing network defenses are “when,” not “if” scenarios — and failing this security exam can have serious repercussions for both students and staff.
Welcome to the fall 2019 higher education cybersecurity roundup — here’s what you need to know about current threats, unique postsecondary risks, user education and the evolution of effective incident response plans.
Higher Education Remains an Attractive Target for Phishing Scams
A recent whitepaper from Security Scorecard, the “2018 Education Cybersecurity Report,” has bad news for colleges: “Out of 17 industries in the U.S., education comes last in terms of total cybersecurity.”
The report called out poor industry performance in patching cadence, application security and network security.
What’s more, colleges are struggling to meet regulatory expectations around data handling and due diligence, putting them at risk of both data loss and potential lawsuits.
Along with general cybersecurity deficits, specific threats are on the rise. As noted by WHYY, phishing scams are increasingly targeting universities. In some cases, attackers are after relatively low-value items such as gift cards.
In others — such as the phishing scam that convinced staff at Canada’s Grant MacEwan University to change institutional banking information — losses totaled in the millions.
Also worrisome for universities are insider risks, such as users failing to comply with security policies or inadvertently falling for a phishing attempt.
James Kincaid, director of infrastructure operations at Bellevue University, notes that, “There are always internal threats. We can control some things, but can’t control how users write down information or answer emails to fully insulate us from threats.”
Put simply? Higher education faces a trifecta of security threats in 2019: Subpar security infrastructure, increasing attacks and the ongoing issue of insider threats.
User Behaviors and High-Value Assets Put Colleges on the Hit List
Students have high expectations for their postsecondary experience: According to a recent study from Waterloo University, students believe instructors should deliver compelling lectures so classes aren’t distracted by mobile phones and tablets.
This carries over into everyday use; unlike corporate IT environments where administrators have some control over what type of devices are used to access sensitive data, universities face the challenge of diverse mobile environments coupled with demands for anywhere, anytime access — almost 67 percent of students now say they use mobile devices to complete coursework online.
That means IT staff have a constantly growing, and decentralized, set of devices on which they must manage proper access controls to institutional information.
User preferences and behaviors are just one side of the story.
Higher education also remains a target because of the immense amount of data arising from academic research, particularly those with ties to government and corporate endeavors.
Augment Security Tools with a Strong Cybersecurity Culture
As universities gear up for their fall 2019 semester, what can they do to limit the risk of serious cyberattacks? For students and staff, two approaches are critical:
- Ongoing education — Regular cybersecurity training helps close common security gaps and reduces the risk of network compromise. At Bellevue, Kincaid points to recurring poster campaigns that list typical phishing techniques, and a recent Slate piece advises schools to implement (and promote) two-factor authentication and to deploy campuswide virtual private networks.
- Evolving culture — While training programs and VPNs help target specific concerns, ongoing improvement requires leaders to cultivate a culture of security that promotes shared awareness and responsibility. According to a recent guide from The Chronicle of Higher Education, this requires “strategic, campuswide communication efforts to create individual awareness and develop motivation for good habits.”
Sophisticated Threats Demand an Advanced Security Response
If universities fail to stop hackers at the network’s edge, there are no second chances. Stolen data could lead to compliance challenges, monetary fines and reputational damage, while compromised systems could impact enrollment, registration and day-to-day classwork.
Here, the right technology makes a critical difference in postsecondary defense. Effective solutions include:
- One-click reporting — According to Kincaid, Bellevue’s goal is to make incident reporting “seamless and effortless” for the university’s 1,500 staff members. That means creating one-click processes that let them easily notify IT of potential malware or phishing threats. Kincaid is also evaluating end-user analytic solutions to better monitor user behavior in real time.
- Artificial intelligence — Universities in Maryland are partnering to leverage advanced artificial intelligence functions, such as natural language processing and trend identification, to spot new threats and limit their impact.
- Simplified firewalls — Many postsecondary firewalls are complex, aging systems that can’t keep up with hybrid clouds and remote access requests. Simplified firewall solutions that include native intrusion detection and per-application rule sets can boost campus defenses.
- Comprehensive incident response plans — Incident response plans are critical to maximize technology’s impact. Bellevue’s plans are “updated continually” to determine what’s working, what isn’t and what needs to change, Kincaid says.
The bottom line for fall 2019? A lack of IT security, combined with targeted attacks and insider weaknesses, put student data and intellectual property at risk. Safeguarding critical resources demands a holistic IT approach to deliver ongoing education, build common culture and choose best-fit IT infrastructure.
For more on how to make 2019 a successful IT year, check out more of our back to campus content.