Cybersecurity Tips for Higher Education

In a 2020 poll of 154 educational institutions, 40% of respondents said that cybersecurity has become much more important since the pandemic and the shift to remote learning. In a May 2021 article, Brian Kelly, the Director of the Cybersecurity Program at EDUCAUSE, references this poll as he gives a dire warning: cybersecurity risks will continue to increase. He also suggests that higher education institutions should focus more on cybersecurity in the coming years, and identify new trends and emerging technologies to protect their campuses and students.

Is Kelly right?

Turns out – he is.

In July 2020, Comparitech reported that since 2005, U.S. schools, colleges, and university systems have experienced over 1,300 data breaches that led to the exposure of over 24.5 million records. Another report said that between July and September 2020, the number of attacks targeting the education sector had increased by 30%, compared to an increase of 6.5% against all other sectors.

What are the key risks and threats to higher education cybersecurity?

And what can educational institutions do to protect themselves from threat actors, cybercriminals, and data thieves?

Cyber threats to colleges and universities have increased steadily over the past decade and even more so since the COVID-19 pandemic. Compared to the increase in cyber threats across all other sectors (6.5%), attacks against the education sector have increased even more (30%) in 2020. 

The Biggest Cybersecurity Risks in Higher Education

What attracts cybercriminals to colleges and universities?

In a word – data.

Educational institutions are a treasure trove of personal data such as student data, proprietary information, and research data. The latter two are often tied to for-profit organizations (private and public) and government departments and contain valuable information about financial, healthcare, military, and emerging technologies. This data is invaluable to threat actors who often sell it to rogue nation-states and other cybercriminals.

That’s why data protection is the need of the hour in higher education. But this is easier said than done. For one, university researchers and information security teams don’t communicate enough about the cybersecurity threats to data. This lack of dialogue hinders the institution from securing its systems and data.

Furthermore, end users are a huge threat to data security in higher ed. In 2019, a study found that 20% of college and university faculty prefer convenience over security when it comes to personal devices. No wonder there was an uptick in both the variety of threats and the volume of confirmed data disclosure attacks in education during the year.

The increasing adoption of remote work and remote learning has further increased cybersecurity risk for higher educational institutions. Teachers and students both use laptops, tablets and mobile phones that store valuable institutional data. But these endpoints are not adequately protected, leaving them vulnerable to exploitation by threat actors.

The increasing use of video conferencing technologies and practices also weakens the security of users like students, faculty, or researchers, and puts their data at risk.

Another big cybersecurity risk in education comes from the increasing use of cloud-based Software-as-a-Service (SaaS) platforms. Since institutions’ data resides in the cloud, it is increasingly vulnerable to theft or compromise. The risk is exacerbated because users often access this data remotely, from insecure devices, and via insecure home or open public WiFi networks.

Cybercriminals like to target colleges and universities because of the vast amounts of easily hackable data used by students, professors, and researchers. With a relatively minimal amount of effort, cybercriminals can yield large rewards by targeting educational institutions.

The Biggest Cybersecurity Threats in Higher Education

Clearly, in higher ed, malicious attackers have plenty of opportunities to gain network access and steal data. But how are they doing this? More often than not – via ransomware attacks.

Threat actors often leverage ransomware to lock university devices and encrypt their data. Sometimes, they threaten to release sensitive data on the dark web. Back in 2016, ransomware attackers demanded low ransoms of around $250. By 2019, the average ransomware demand rose to $115,123. By 2020, it shot up to $312, 493. 

Some universities like the University of California, San Francisco have paid upwards of $1 million to ransomware attackers. Basically, any college or university that has student or research data, and critical, time-sensitive operations is vulnerable to cyber extortion. In other words, all higher ed institutions are vulnerable to ransomware attacks and cyber extortion.

Phishing emails are another huge threat for educational institutions, with one study revealing that almost 90% of top U.S. higher ed institutions fail to protect students and faculty from phishing attacks.

Attackers also use stolen credentials to leverage ransomware, steal sensitive information, and block access to systems and data in exchange for hefty ransoms.

Ransomware attacks, often via phishing emails, are the most common type of attack today against colleges and universities. Alarmingly, nearly 90% of U.S. higher ed institutions do not adequately protect students and faculty from phishing attempts. 

Best Practices to Strengthen Cybersecurity in Higher Ed

Brian Kelly of EDUCAUSE believes that educational institutions should view cybersecurity as a mission-enabler, not as an impediment to learning. This change in perspective – where cybersecurity is viewed as a value-add rather than as a hindrance –  is a vital first step to stronger cybersecurity in higher education.

University IT departments should also identify and implement the latest security tools, technologies, and practices to better protect their networks, users, and data. Their Chief Information Security Officers (CISOs) should enable the effective use of all such technologies, including multi-factor authentication (MFA) and single sign-on (SSO). These two technologies in particular can minimize the risks of password-related cyber attacks. They can also ease the user experience for users, considering that many of them worry about it, even more than they worry about cyber attacks. 

Institutions should be more careful about how they collect, store and use sensitive data. They must deploy strong data protection controls, and comply with data governance and privacy standards. Equally important, they must also educate users on cybersecurity hygiene practices so they can protect their own data, as well as the institution from attacks.

Universities and colleges must also employ strong cybersecurity measures, such as network monitoring, risk assessments, firewalls, VPNs, intrusion detection systems, and endpoint detection and response (EDR) platforms. Software upgrades and patches are also crucial to prevent attacks and data hacks.

Colleges and universities should invest in basic cybersecurity hygiene such as employing a CISO, mandating the use of multi-factor authentication, conducting regular risk assessments, and keeping software up-to-date. Measures such as these can substantially mitigate the risk of cyberattacks. 

Conclusion

Even before the pandemic, IT teams at colleges and universities worried about privacy and security. After the pandemic, these worries have escalated even further. In the coming years, educational institutions will remain vulnerable to cybercriminals and data thieves. To mitigate risk, every college and university must scale up its cybersecurity program and implement cybersecurity best practices to protect its systems, users, and data.