Higher education institutions are a prime target for cybercriminals, and IT needs resources to prevent attacks and provide a proper level of security
No industry or sector is immune to data breaches, but some are targeted more often than others. Education came ahead of government, retail and financial sectors, and it was second only to healthcare on Trend Micro’s list of the most-breached industries.
With more than 500 security breaches across 320 higher education institutions since 2005, higher ed accounts for 35 percent of all breaches, according to an enlightening infographic from SysCloud.
Universities and colleges are a high-priority target for a number of reasons:
- They may be easier to attack than other sectors.
- They store millions of records with lots of personally identifiable information.
- They store valuable research and intellectual property.
- They can provide sideways access into more secure organizations.
- High-speed networks and massive computation ability make them an excellent platform for attacking others.
- They operate highly decentralized IT environments.
The list goes on, so it’s no wonder that concerns are being raised. Let’s drill into the top five InfoSec concerns for higher education.
The potential exposure to malware for educational institutions is massive. A huge range of devices have access to networks and systems at universities and colleges. Students and teaching staff use university computers to check personal email, update social media, shop, watch movies and download all sorts of files.
It’s difficult for IT to keep track of all the traffic and ensure nothing untoward makes it onto the network. In too many cases, they lack the necessary tools to detect and respond to attacks. Building malware defenses is vital, but detection and remediation is also often neglected. When malware isn’t caught quickly and dealt with, it has a chance to burrow deeper.
2. Exploits in database systems and servers
Many universities and colleges employ monolithic internal database systems that may be easy to exploit. Simply identifying and patching all known exploits on institution servers can be a challenge when resources are tight. Many of these systems were built without security in mind, so retro-fitting security protocols can be tricky, but it must be done. Known exploits are an easy inroad for cybercriminals and there are many different endpoints that offer access.
3. Phishing attacks
It’s often easier for attackers to trick people into handing over login details and other sensitive data than it is to gain access by other means. Phishing attacks are growing more and more sophisticated and spreading from email to social media and beyond. Students and teaching staff need to be educated on the risks of clicking links in emails or responding to unverified requests. But that alone won’t be enough to stop successful phishing attacks. Education must be backed up by real-time monitoring and scanning tools that can identify suspicious behavior and traffic and flag it.
4. Vulnerabilities in websites and servers
Without vulnerability management, many universities and colleges leave themselves open to external attack through websites and servers. Cybercriminals can exploit known vulnerabilities quite easily. It’s important to take steps to identify them, but also to create a remediation plan that can patch systems as necessary and close these potential points of access.
5. Device management
Personal devices flood most universities and colleges. Smartphones, laptops, tablets, USB thumb drives and wearables are growing more and more common. There are also risks from network-attached devices such as printers, copiers, scanners and laboratory devices. As the Internet of Things continues to take off, surveillance systems, HVAC systems, vending machines and door controls also have to be taken into account.
Creating a complete picture of the devices that have access to networks and controlling that access carefully is important, but it’s not an easy task.
Closing the door
There’s a lot of work to be done to tighten information security at higher ed institutions. Data classification would help to define the sensitivity of instructional data, encryption should be used far more often for data in transit or at rest, and risk assessments are urgently required to identify critical assets and protect them, but also to ensure compliance with regulatory requirements.
Gathering this data should give staff the ammunition it needs to graduate to higher IT security budgets. Because without more resources, the proper level of security will be impossible to achieve. InfoSec can’t afford to go on sabbatical.