There is a collective sense of shock and fear whenever we hear about a large–scale cyber attack such as the one that took place on October 21. If you were on the East Coast at that time, you likely lost access to most of the internet due a distributed denial of service attack (called a DDoS). Of course, this loss of consumer internet access gained a lot of attention, with everyone noticing and discussing it in depth. But are we paying enough attention to cyber security in higher education?
Not only grades and other performance records, but all personally identifiable information (PII)—that is, any data that could identify a specific individual, distinguish one person from another or remove anonymity—is at risk from a cyber security breach in higher education. A recent search of the Private Rights Clearinghouse database revealed 30 data breaches of educational institutions between Jan. 1, 2015, and June 15, 2016, and those are only the reported incidents that fit the Clearinghouse’s criteria. Half of those breaches affected colleges and universities and two schools—the University of Connecticut and the University of Virginia—experienced multiple attacks within a six-month period.
The Clearinghouse also noted that in 2014, five colleges actually experienced larger breaches than the infamous Sony Hack. These and other incidents made higher education rank as the third most popular target of cyber-attackers in Symantec’s 2015 internet Security Threat Report. The education sector accounted for 10 percent of the total number of reported incidents, the report said. As a result, cyber security will be among the hottest topics in higher education in 2016.
Why higher education is such a big target
Admittedly, health care and other sectors have experienced the most serious data breaches, yet higher education institutions have many (if not most) of the same security concerns as a normal business. Most colleges and universities now allow:
- Online applications that contain sensitive personal information
- Online payments
- Access to their networks by a variety of non-secure student devices, including smartphones, laptops, tablets and other devices that are vulnerable to hacking
- Robust internet connectivity to support residence halls and research
- Connections to privately owned machines that are not secure
Students who use school internet connectivity for social media and to stream Netflix, for example, can also expose the networks to hackers. And unlike banks and retailers, college and university networks are traditionally more open—it’s part of higher ed’s philosophy of a free exchange of thought. This philosophy is made even more risky when you consider that 60 percent of all attackers are ‘insiders,’ according to IBM’s 2016 Cyber Security Intelligence Index. Whether they have malicious intent or simply serve as inadvertent actors, those with inside access can pose a significant threat.
What’s more—there’s a TON of material worth stealing in these networks, from personal and financial information about students, parents, faculty and staff, to critical intellectual property, grant-holder research, dissertation materials, exam results and more.
The problem isn’t going away
According to the Privacy Rights Clearinghouse, approximately seven percent of all U.S. colleges and universities had a least one data breach between 2005 and 2014 and a third of those have had more than one. Astonishingly, 19 institutions had FIVE OR MORE! Using these figures, more than two percent of all U.S. colleges and universities have experienced more than one data breach.
Complicating the problem is that most colleges and universities have tight IT and security budgets, which leads to longer lifespans for equipment. Let’s face it—many older systems are less secure and easier to compromise. David Crain, assistant provost and chief information officer at Southern Illinois University, wrote about the resource issue in an interesting article entitled “Insecurity U” for CIOReview.com:
“Universities, on average, spend $152 per employee on information security, which is much less than the average of $381 spent per employee across all U.S. industries…the fact that we spend just 40 percent as much per employee on information security is troubling enough, but reduce that number to account for institutional FTE (students plus employees) and the situation becomes truly dire. Additionally, we have an added compliance burden that other industries don’t face…in addition to PCI (credit card) compliance, we have HIPAA and FERPA…”
Fighting back
Forget the fact that many schools are just beginning to take measures to protect themselves that should have been put into place years ago. It’s not too late to fight back, regardless of budget and resources. Here are a few recommendations from security experts at IBM and VMware that merit serious consideration:
- Think more like a business – higher ed institutions must value their own records and research as much as businesses value their customer data. There is no such thing as 100 percent secure, so institutions must prioritize their objectives and set their risk tolerance. That means making hard decisions about different levels of security based on what is being protected.
- Create a security-conscious culture – every employee and student must be educated to understand the importance of the risks and of their role in protecting sensitive information. Colleges and universities must balance openness and collaboration with common sense. Ongoing campus awareness programs and employee training sessions can be effective if they are reinforced regularly. When it comes to data protection, ‘one and done’ doesn’t work.
- Have a crisis plan ready – create and test an incident response plan and be sure it is communicated to all appropriate parties. As one security expert put it, it’s always better to have a fire extinguisher on hand BEFORE there’s a fire.
- Make cyber security a top priority – put cyber security on par with funding, health and safety, and other board-level priorities.
- Differentiate data access – configure user access to confine access to highly sensitive data. It sounds obvious, but make user profiles fit user needs. Not everyone needs access to everything. Also limit data sharing capabilities and specify which information can be downloaded, copied, printed, etc., and on which devices.
What is your institution doing?
Cyber security is one of those topics that warrants an entire blog series. What is your school doing to address the issues surrounding this important subject? Share your ideas to keep the conversation going!
