Network security in higher ed: The importance of zero trust

Key points:

• Bad actors target universities for their wealth of data
• In higher-ed IT, balancing innovation with cyber risk
• How universities are tapping students to fight the growing threat of cybercrime 
• For more news on network security, visit eCN’s Cybersecurity hub

Despite the increase in cybersecurity spending, the number of cyberattacks continues to rise, showing no signs of decreasing. AI plays a major role in this increase, not only helping engineers build code efficiently for network-, security-, and business-centric applications, but also enabling cybercriminals to produce more sophisticated malware at a higher velocity.

In fact, Gartner predicts that by 2027, 17 percent of total cyberattacks will involve generative AI. Cybercriminals now target every conceivable industry, with universities and colleges increasingly becoming some of their favorite victims. Typically, bad actors exploit vulnerabilities in educational institutions’ networks, like IoT or outdated devices and the laptops of unsuspecting students, to move laterally to higher-value assets.

The current state of university network security  

Universities are attractive targets for bad actors because of their wealth of data. These schools have student records, which include personal information, financial records, and other payment details submitted as part of tuition payments. R1-designated research institutions possess a considerable amount of lucrative data that likewise entice bad actors. Hackers also target and sell university-specific information on the dark web.

The consequences of a data breach extend far beyond the financial loss from stolen data. Should hackers gain access to the network, there will be operational disruptions–like downed online learning platforms–and reputational damage. The impacts can extend even further, possibly jeopardizing grants, causing corporate partners to withdraw funding, and more. 

Securing networks against threats isn’t as easy as it sounds. Many universities, especially smaller liberal arts schools, face skill and labor shortages in that they don’t have the IT staff to reliably maintain the  network and security while simultaneously addressing user experience issues and concerns. In some cases, there may only be a handful of network engineers supporting an entire campus, let alone multiple campuses.

A 2024 IDC survey found that over 90 percent of global organizations will likely face a shortage of IT skills challenges by 2026, having negative effects on the remaining personnel’s ability to continuously monitor and manage the network. These small teams are forced to work with legacy network environments and well-known vulnerabilities, further exacerbating security challenges.

Network devices and the importance of campus zero trust

Universities often contain many more unique devices than enterprises. These devices range from a student’s 6-year-old laptop or tablet to game consoles and Internet of Things (IoT)-powered medical or research devices. Universities often keep assets for as long as possible, which means many are well beyond their service life, with the original manufacturer no longer supporting the devices via maintenance or security patches.

As long as these devices are on the network, they provide the hacker community with exploitable vulnerabilities that they will eventually attempt to compromise as their initial point of entry to move laterally through the network to higher-value assets and data. According to a report from Zscaler, IoT malware attacks rose by 961 percent in higher education between 2022 and 2023, and are expected to escalate in 2025 as institutions increasingly rely on such devices.

The exploitability of devices highlights the necessity of a modern Campus Zero Trust approach, and a network security framework that holds to principles like “never trust, always verify” and “default deny,” which are built into a network architecture, not bolted on.  With devices, IT teams must create zones of operation that restrict communication from outside that zone. Should an IoT device become infected, the cybercriminal cannot move laterally from that initial device to higher-value devices.

This per-device isolation or zone-based segmentation allows universities to enhance their security posture and minimize the blast radius of an attack while also prolonging the shelf life of their assets. Ultimately, such efforts save money by avoiding the purchase of new equipment.

The reality of zero trust today: Most universities aren’t there yet

Most universities have basic security measures in place, like firewalls, anti-virus endpoint protection, intrusion detection systems, SIM encryption, multi-factor authentication, etc. These protections are minimum requirements–the divide between higher education institutions sets in with more advanced capabilities like AI-driven threat detection, micro-segmentation, data loss prevention capabilities and, most importantly, modern zero trust security. These critical capabilities are much more difficult to set up and manage, especially for small IT teams.

While 80 percent of higher education organizations have zero trust strategies in place, if one were to peel back the layers to see how many of those have implemented zero trust at scale, the number drops precipitously. For example, amongst higher education, most have implemented next-generation firewalls, but few have successfully implemented zero trust at any level, let alone at scale across the university’s network. Moreover, many IT teams will overlay a Zero Trust Architecture over their legacy networks, which can cause compatibility challenges and leave potential security gaps. 

Benefits of working with a security partner

Successfully implementing zero trust security principles at scale is a pressing challenge for all universities–even for larger institutions. Schools should consider partnering with a networking vendor that truly understands security and how and where zero trust must evolve. 

The only way to empower understaffed IT teams is to transition away from decades-old network infrastructure and NAC solutions. It’s time to consider partnering with a vendor that can mitigate security risk and deliver advanced zero trust capabilities, such as identity- and context-aware micro-segmentation, host-based isolation of every user and IoT/OT device, and AI native behavioral monitoring of every user and device. 

About the Author:

Chris Liou is Head of Security Product Management at Nile.