As seen on eCampus News

7 tips to overcome security risks unique to higher ed

Institutions can learn from the private sector and adopt enterprise IT principles that help them fight against ransomware and cyberattacks.
By James Turgal, VP of Cyber Risk, Strategy, & Board Relations, Optiv
June 8th, 2022

Institutions can learn from the private sector and adopt enterprise IT principles that help them understand the dynamics of data protection in education

Earlier this month, Illinois-based Lincoln College announced that, after 157 years in operation, it’s closing its doors, citing a Dec. 2021 ransomware attack and COVID-19 as precipitating factors. Unfortunately, Lincoln College is just the latest in a laundry list of higher education institutions that have recently suffered from a cyberattack.

According to “The State of Ransomware 2022” report by Sophos, 64 percent of higher education organizations were hit by ransomware in the last year. And, this figure doesn’t even take into consideration other threat vectors. Verizon’s “2021 Data Breach Investigations Report” points out that the education vertical also faces a high percentage of social engineering attacks.

The perfect storm of risk

Colleges, universities, and other higher education institutions are prime targets for cybercriminals for several reasons:

  • The cutting-edge and commercially desirable research and intellectual property (IP) they produce.
    The appeal of academic research and resulting IP goes far beyond academia – it’s vital for innovation across industries. Colleges and universities carry vast quantities of sensitive information that help advance government and commercial programs in areas such as healthcare, engineering, technology and national defense. This is information that adversaries, including nation states, would love to get their hands on.
  • The employee and student data they house.
    Higher education organizations are a treasure trove of personal, financial and other confidential (e.g., student medical records) data. Cybercriminals can leverage this information for a variety of nefarious purposes – selling it on the Dark Web, using it in phishing or other social engineering attacks, the list goes on.
  • Their open culture.
    Colleges and universities want to foster collaboration and communication among students, and they want to be able to share research with academics across the globe. With this as a priority, many institutions take a minimalist approach to security, because they don’t want to hamper these efforts.   
  • The state of their architecture.
    Higher education IT ecosystems typically are very fragmented, with each college or program having its own network. For example, a university’s School of Arts and Sciences might have a separate network from the School of Business. Different individuals are responsible for each school’s network security, but all are connected to the larger university’s enterprise network. The lack of consistent security across the organization can introduce easily exploitable security gaps.

On top of these traditional risk factors, there’s the impact the COVID-19 pandemic had on security. Colleges and universities were forced to conduct classes virtually, and IT was caught unprepared for securing this new operations model. This left many institutions with gaping security holes that they are still trying to fill today.  

Defending against cyberattacks

For many reasons, education institutions have not spent the same amount of money on security as the commercial sector. But, to overcome these unique risk factors and survive in today’s sophisticated threat landscape, higher education organizations need to learn from their commercial/private sector counterparts and adopt enterprise IT principles that help them understand the dynamics of data protection in education and infuse that knowledge into all of the fragmented networks within their institution.

This journey starts by doing basic cybersecurity blocking and tackling, including:

  • Educating all employees and students.
    Most attacks start with social engineering. Employees and students alike should understand that they are targets, be aware of the different types of security threats, and know how to respond appropriately in the event of an attack. Conducting ongoing security education and awareness training sessions is the best way to keep security top of mind for all stakeholders.
  • Enforcing strong passwords.
    Everyone knows they shouldn’t use simple and repeat passwords, but many still do it anyway. This is problematic because passwords are the gateway to college/university systems. Require passwords to be at least six characters in length, using a combination of letters, numbers and special characters. And, continually emphasize the importance of using different passwords for different accounts.
  • Opting for multi-factor authentication.
    One way to overcome the password problem is to use two-factor authentication, which adds an extra layer of security to user accounts. This approach combines something users know – their username and password – with something they have, typically a code sent to their phone or email.
  • Implementing multi-layered security.
    The best approach to security is “defense-in-depth,” which means implementing multiple layers of security tools for maximum protection. Firewalls, anti-virus solutions, and anti-malware software are all security tools that should be part of your security stack. For an additional layer of protection, consider implementing the Zero-Trust model, a security framework founded on the concept, “never trust, always verify” users and devices attempting to connect to a network – regardless of whether they are coming from inside or outside the organization.
  • Using encryption.
    Encryption makes data unreadable without a key. Not only is this helpful to protect staff and student data, but it’s also critical for securing sensitive research.
  • Backing up data.
    Backups are the only way to get data back in the event of a ransomware attack, without paying the ransom (and paying the ransom does not guarantee data access). Having backups also comes in handy if systems go offline for another reason – such as a different form of cyberattack or a natural disaster.
  • Prioritize access controls.
    Collaboration is important, but so is ensuring only the right employees have the right access to the right information. Implement access controls to limit which employees can access sensitive and IP-related data. Enforcing least privileged access, where employees are given only the least amount of access required for them to perform their job successfully, is always a good best practice to follow.

Successfully defending against cyberattacks is reliant on sound security basics. And, even though higher education institutions have a number of factors that make them appealing targets for attack, with a strong security foundation in place, they will have the knowledge and tools to fight back.

About the Author:

James Turgal is the former executive assistant director for the FBI Information and Technology Branch (CIO). He now serves as Optiv’s vice president of cyber risk, strategy, and board relations.

eSchool Media Clients and Partners