To enhance the learning experience, streamline administrative processes, and foster collaboration, higher education institutions have embraced technology advancements. However, with the growing reliance on technology comes an increased risk of cyber threats making higher education institutions prime targets.
Cybersecurity has become a paramount concern for higher education institutions, as they handle vast amounts of sensitive data. This includes personally identifiable information (PII), electronic protected health information (ePHI), research data, and intellectual property. Furthermore, colleges and universities across the United States are also subject to the Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information (better known as the Safeguards Rule).
This blog explores the top 5 cybersecurity concerns for higher education institution and measures to take to mitigate these risks.
Top 5 Cybersecurity Concerns for Higher Education
1. Ransomware
One of the most pressing cybersecurity issues is the risk presented by ransomware. This risk has only been increasing according to studies performed by Sophos. The results indicate that 64% of responding higher education institutions were hit by ransomware in 2021. This is up from 44% the previous year. While simultaneously being the least able sector to prevent data from being encrypted during an attack.
Ransomware risks include both an inability to operate due to the denial-of-service effects when your data is encrypted, and elements of a data breach. Data that is encrypted is increasingly becoming exfiltrated which allows for double-extortion ransomware schemes.
While many of the elements of this concern overlap with general network security, its rise in prevalence and potential impacts makes it important enough to draw attention to on its own. The preventative actions noted below are also a good starting point to help prevent an initial infection.
Preventative Actions:
- Having effective detection and logging mechanisms in place to respond to an ongoing incident
- Conducting solid data back-ups
- Including at least one back-up location that is “offline” or not connected to your network (e.g., an air-gapped drive or cloud-based software)
- Implementing a strong incident response process that has been tested
2. Network Security Vulnerabilities
Higher education institutions often operate massive networks. This creates a wide attack surface for threat actors from both the open Internet and from within the university network.
Malicious threat actors can exploit network security vulnerabilities, such as unpatched software, device misconfigurations, and weak passwords. Hackers can use these vulnerabilities to gain unauthorized access to the network or escalate their privileges from within the network. This can ultimately lead to ransomware infections, sensitive data theft/exfiltration, or denial-of-service attacks, among other things. To bolster network security, institutions should consider a number of first steps from a “preventative” perspective.”
Preventative Actions:
- Centralizing employee authentication systems, where possible, and enforcing strong password policies with multi-factor authentication (MFA)
- Implementing device hardening practices that leverage best practice benchmarks to configure systems prior to placing them into production
- Conducting regular patch management for all network devices, workstations, and servers
- Segmenting the network to restrict traffic flows between disparate subnets/VLANs
- Annual penetration testing and monthly/quarterly vulnerability scanning to help proactively identify and address weaknesses in these areas
3. Social Engineering
Phishing attacks and social engineering remain among the most common cyber threats faced by higher education institutions. According to Verizon’s Data Breach Investigations Report (DBIR), 74% of all cybersecurity attacks across all sectors last year relied on the human element. Cybercriminals often craft very convincing emails to trick staff into divulging sensitive information directly, entering their credentials into spoofed websites, or executing malware on their workstations.
Since higher education institutions often interact with numerous stakeholders, many of which are external to the organization, they are attractive targets for these types of attacks.
This is possibly the most challenging area to address and institutions should invest in increasing their resilience to social engineering attacks over time.
Preventative Actions:
- Implementing technology such as spam filters, advanced antivirus/EDR/XDR solutions, MFA enforcement
- Using strict firewall filtering (e.g., domain reputation-based filtering)
- Conducting regular security awareness training sessions to educate users about how to identify, resist, and report suspicious emails and phone calls
4. Data Breaches – Privacy Data, Intellectual Property, and Research Data Protection
Higher education institutions collect and store a plethora of sensitive information, such as student records, financial data, and research-related data. A successful breach could lead to devastating consequences, from identity theft and financial fraud to reputational damage and loss of funding. Ensuring data privacy requires maintaining a robust data security posture.
Protecting from data breaches at a higher education institution is synonymous with employing an overarching information security program. Be sure to include research departments and associated programs as part of the information security program and assessments. Cybersecurity should facilitate business processes while reducing risk, such that they can operate uninterrupted, not hinder operations.
Preventative Actions:
Maintaining an information security program that includes a mixture of strategic and tactical assessments. To allow you to measure its effectiveness and improvements over time
Conducting annual best practice gap assessments. This can help provide insights to the areas where your current security program is falling short and areas of improvement with the highest return-on-investment from a security perspective.
Performing tactical assessments like penetration testing annually. This will allow you to evaluate how effective your current security controls. And, will help identify any shortcomings before real threat actors can take advantage of them.
5. Compliance Risk
Last but not least is the associated compliance risk with not maintaining a cybersecurity program. Failing to comply with industry regulations (like the Safeguards Rule) and general security best practices can cause serious issues. For example, failure to comply with the Safeguards Rule and maintain a “reasonable” information security program can result in fines of up to $100,000 per occurrence. Other “indirect” effects of non-compliance include failing to qualify for federal funding, contracts, or research grants. Additionally, qualifying for things like cyber insurance often has similar base requirements when it comes to your information security program.
Summary
A robust information security program can help prevent much bigger problems before they happen, such as data breaches affecting student PII or research data. By investing in technology, resources, and regular evaluation of security controls, higher education institutions can stay in front of many common security issues and make these top 5 cybersecurity concerns less concerning.
To learn how we can help your higher education institution address these five (and other) cybersecurity concerns, please contact us today.
About the Author:
JR, Director of Penetration Testing at SIG. He holds a BS in Computer Science Engineering from the University of Florida. And, a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology. JR is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.
