Retaining openness and transparency while reducing cyber risk is the Holy Grail of educational IT and challenging to implement.
A 2019 report released by IT security company Mimecast indicated that universities reported nine times as many attacks per user than the average across all other industries. Higher education institutions (HEIs) are also the second most common target for spammers. Surprised? Well, it turns out that HEIs have a lot to offer cybercriminals and state actors, combining a wealth of data under one roof or campus. This data includes but is not limited to:
- Student and staff records – This typically includes financial, health, and academic records as well as other personally identifiable information (PII) such as social security, driving license or passport details.
- Academic data – material for open learning or paid online courses
- Research data – a prime target for state actors or financially motivated cybercriminals, many universities are partly funded by research, some of which is highly sensitive or classified.
With such an attractive dataset, it’s not surprising hackers target HEIs to such an extent.
One might wonder why HEIs seem unprepared for data breaches. Well, the academic world is a little less cutthroat than the business world, and objectives are based more on openness than on exclusion, perhaps to emulate their campuses. That said, HEIs also face other issues, some of which may be specific to their own networks or institution objectives.
What Makes Higher Ed Vulnerable?
Historically, HEIs were online before most of us, by using text-only solutions rather than the internet browsers of today. This made them visible targets for early hacking pioneers seeking to change their grades (if you believe the movies) or more sinister motives such as data acquisition. From being early adopters to lagging behind in technology (as innovations and threats evolve so fast these days), many HEIs find themselves hopelessly outmatched against hackers who use the latest tools and methods.
A typical HEI has multiple departments or fields of discipline, and this often results in internal discrepancies, given that a physics or computing department will require more resources than a culinary or literature-focused department. Often, each department will have a separate IT infrastructure (in another building, perhaps), which complicates matters for the IT teams tasked with supporting the entire campus.
HEIs have high-speed broadband to support thousands of users (staff and students). This makes them attractive hacking targets as their infrastructure is sometimes used to launch massive attacks on other targets.
In addition, universities typically embrace BYOD, to allow students and staff easy access to campus resources. This, in itself, is a security risk.
A global shortage in cybersecurity professionals is another problem as HEIs are unlikely to offer the salaries and benefits provided by commercial companies, especially the larger ones.
Reducing Risk While Maintaining Academic Goals
The first step in any security strategy that must facilitate large-scale sharing or collaboration is to form a goal-oriented team. This team must have all departments represented, but especially IT. Invite feedback from everyone and identify all of the following:
- The data gathered and stored
- Who needs to access it and why
- Any cloud-based activities
- Any data governance or privacy regulations for the education sector in your region. Given that many HEIs charge fees, house, feed, and offer healthcare to students, it’s likely that a wide range of regulations will apply.
Once this information is known, consider segregating your data according to desired permissions by role or policy, informing IT of all requirements, desired software, and other resources in use.
Note: IT cannot protect key research data if they are not informed of its existence and location.
Identify potential threats for each data set. Again, IT are the experts here, so ask them to draft a cybersecurity strategy that complements your institution’s academic goals in terms of sharing, collaboration, and transparency.
Broadly speaking, regardless of industry, the biggest threats come from SQL injections, ransomware, and phishing attacks. The first is prevented by writing better code and locking down databases while the other two are only successful when the user clicks on links or opens a document or attachment etc. contained in a ‘convincing’ email from a bank, government department, long-lost relative with money to transfer or from an existing service or product provider.
While it’s true that there’s no such thing as 100% secure, it’s also true that human error is responsible for many data breaches, regardless of the number of security awareness training courses offered to users. Consider running these ‘courses’ in a manner that prevents access to the HEI infrastructure unless completed, especially for staff members and enrolled students. Prospective students shouldn’t have access to anything but ‘open’ or free to access resources.
Threat Detection and Prevention
Use the tools available to protect your infrastructure. Choose your preferred privacy-focused search engine and research the solutions available for the educational market. Poll your industry contacts to see what’s working in other HEIs and, of course, inform them of any new threats you identify.
Education is known for collaboration, so there is no excuse for avoiding security team formation to reduce the risk of a data breach. Work with proven companies and products to identify the best solution for your HEI AND don’t expect to MacGyver the existing infrastructure. IT is only as good as the tools their budget allows.
If in doubt about compliance obligations or strategy implementation, check industry organizations for specifics for your region. In the U.S., The Readiness and Emergency Management for Schools Technical Assistance Center (REMS for short) is a valuable resource, with links to other relevant organizations. Other locations will have equivalent solutions.
And just like your business counterparts, when it comes to data breaches, the size of your institution is irrelevant. It’s best to have the tools to protect your data and not need them than lose it in a breach thanks to ill-founded complacency. Or something like that.