Data Breach 101: Cyber Security Issues in Higher Education
Higher education provides a treasure chest of high value in formation for cyberattackers. With everything from Social Security numbers and medical records to financial data and intellectual property within a single institution, it’s imperative that institutions protect critical infrastructures by anticipating, recognizing, and mitigating attacks.
Higher education databases contain some of the most sought after data that attackers are looking to steal
Cybercriminals have the higher education sector in their crosshairs. According to some estimates, higher education accounts for 17 percent of all data breaches where personal information is stolen, with only the medical sector being victimized at a higher rate. And why not? Higher education databases contain some of the most sought after data that attackers are looking to steal. Everything from Social Security numbers to medical records to financial data and intellectual property could all be contained at one facility. Hackers know this, which is why Symantec’s 2015 Internet Security Threat Report ranked education third overall among the top ten most-attacked and breached sectors.
If we humanize the issue, the personally identifiable information (PII) at risk is often that of young adults who in many cases are just laying the foundation for their careers and personal lives. Imagine if your Social Security number was stolen at the age of 18. How could that hinder your ability to buy a car, pass a credit check to help find a good job or get into a good school? What would happen 10 or 15 years later when you tried to buy your first home?
According to an EdTech magazine report, 1.35 million personal identities were exposed to hackers in the education sector in 2015. The full impact of these breaches on the victims will not be fully realized for years.
1.35 million personal identities were exposed to hackers in the education sector in 2015
What makes these breaches more alarming is that many of them are easily preventable. According to the same EdTech article, nearly a third of these breaches, 30 percent, were the result of “unintentional disclosure” like phishing attacks, improper use of social media, and so forth. Only 36 percent were the result of actual hacking.
We need to do a better job not only of bolstering network defenses against cyberattacks, but also of raising awareness of basic cybersecurity hygiene among the full spectrum of IT users: staff, faculty and students. This is especially important in education where those types of serious cybersecurity considerations have been sometimes overlooked, making education a softer target than many other sectors like finance which puts a lot of effort into cybersecurity.
This student body, with its own devices, applications and expectations, poses a significant challenge in protecting sensitive and critical information
Many corporations spend large amounts of money on continuing cybersecurity awareness and training programs for employees. That task is magnified at institutions of higher learning, where there is a large population of students with little or no professional experience who must be accommodated in addition to faculty and staff. This student body, with its own devices, applications and expectations, poses a significant challenge in protecting sensitive and critical information.
Higher education is particularly vulnerable because, in contrast to many other high-value targets, college and university computer networks have historically been as open and inviting as their campuses, says Fred Cate, a senior fellow at the Indiana University Center for Applied Cybersecurity Research. “We want our faculty and our students and our public and our donors to connect pretty easily to us,” says Cate, who also is vice president for research at IU.
Solving the problem
In addition to better cybersecurity education, the need for more robust tools, tactics and procedures also is apparent.
Three simple steps that can help improve an institution’s cybersecurity posture are:
- Access Control Policies: Authentication should go beyond simple user-name and password to include additional factors where appropriate, such as Multi-Factor Authentication (MFA), which can go a long way to better securing a network. Additionally, authorization must be managed on a least-privilege basis. Directories and privileges must be kept up-to-date.
- Data protection: Sensitive information should be encrypted both at rest and in transit.
The flow of information: Colleges need to also consider the safest way to share data. “One policy should be prohibiting staff from using popular services like Dropbox to transfer student records and other sensitive information,” says Jonathan Rajewski, assistant professor of digital forensics at Champlain College in Vermont.
Finally, beyond the sharing of data, organizations need to be mindful of the flowing out of data. As we recently covered in a separate Tenable blog, networks that seem to be bleeding data are often experiencing symptoms of potentially malicious activity.
An essential first step in improving cybersecurity in education is first assessing the current cybersecurity posture. By deploying a comprehensive security assurance solution such as SecurityCenter Continuous View™, higher education organizations can inventory, scan and audit their current environment. This is particularly valuable for an organization with a significant number of mobile users where assets may not always be connected to, or managed within, the enterprise. To learn more about tracking rogue devices and systems, see the Tenable solution, Unknown and Shadow Assets.
Higher education provides a treasure chest of high-value information for cyber attackers. But with the right approach, tools and training, organizations can take large steps toward reducing the number of compromised networks and stolen data. Then they can concentrate on what they do best, educating today’s best and brightest.
Are You Vulnerable to the Latest Exploits?
Enter your email to receive the latest cyber exposure alerts in your inbox.