With more colleges and universities incorporating Software-as-a-Service (SaaS) platforms to support registrars, admissions, and financial aid offices, schools are collecting more electronic student information than ever.
Combine that with weak networks and systems, however, and the state of cybersecurity in higher education earns an F. Higher education needs to focus more on protecting this information from cybercriminals.
What is the State of Cybersecurity in Higher Education?
Recent research indicates that colleges and universities rank third for data breaches. Additionally, a 2021 Education Cybersecurity Report indicated that data breaches were the primary source of risk for higher education institutions.
That shouldn’t be a surprise. The data perimeter is expanding rapidly, with more institutions putting old processes through digital transformation and more students using technology in classrooms.
What are the Key Challenges in Cybersecurity in Higher Education?
In 2021, the Educause IT Issues Panel spoke to a panel of 50 IT experts who listed the key technologies expected to affect cybersecurity for colleges and universities. They were:
- Cloud vendor management;
- Endpoint detection and response;
- Multi-factor authentication and single sign-on;
- Preservation of data authenticity and integrity;
- Security of research; and
- Student data privacy and governance.
Why is Higher Education a Target for Cyber Attacks?
One of the main reasons schools are viewed as a prime target for cybercrimes is the highly private data they hold. Schools frequently save vast volumes of sensitive information, such as student and teacher records and financial data.
This data may be lucrative to attackers, who could employ it as a ransomware bartering piece, sell it on the black market, or use it for identity theft or other crimes.
Furthermore, schools, notably higher education institutions, have many individuals using their systems and networks, several from their homes or outside the network, and many using their own devices, making networks in the sector considerably more significant, more open, and more challenging to secure.
Teachers, students, and staff members may lack the expertise and awareness to recognize and avoid phishing attempts or other forms of social engineering.
Furthermore, schools typically have little IT and cybersecurity resources and experience. Many people lack the financial resources to invest in comprehensive cybersecurity measures such as Intrusion Detection Systems (IDS), firewalls, and virus protection software.
They may also lack workers with the requisite developing skills to defend their systems and networks against emerging threats appropriately. As a result, infiltrating their networks becomes simpler for cybercriminals.
Common Cybersecurity Struggles in Higher Education
Cybersecurity incidents are becoming more common, sophisticated, and expensive across all industries. Recent attention has been drawn to cybersecurity measures and laws due to assaults on government institutions and critical infrastructure.
These are some of higher education’s main problems, aside from the constantly expanding danger landscape attacking schools and universities.
Why Higher Education Struggles with Creating an Information Security Strategy
Offices within higher education, such as admissions and registrars, are not the only locations where people can access student data. Increasingly, faculty and staff use cloud-based platforms that contain Personally Identifiable Information (PII) to send academic warnings, submit grades, and communicate with students.
Moreover, these individuals often use mobile devices or connect to the platforms remotely. So, the number and location of threat vectors are increasing, giving cybercriminals more opportunities to exploit vulnerabilities.
The education industry struggles to inventory data assets, including all the devices, networks, systems, and software accessing student information. Since creating a catalog of assets is the first step to establishing a risk-based security strategy, higher education is failing even before it starts the process.
Why Higher Education Struggles with Privacy
With the large numbers of people handling student data (particularly after the increase in online learning and remote work for educators during the COVID-19 pandemic), struggles to align with student data privacy laws have never been more apparent.
For example, faculty might incorporate free services into classroom instruction, such as TED talks on YouTube. Some services collect information such as IP addresses; others require logins. All of this information places student data and institution data at risk.
Students may not understand how to manage their data, either. For example, students might use their school email addresses for social media and internet logins. If the students also use poor password hygiene, cybercriminals can use those emails and passwords to gain unauthorized access to databases containing private information.
Why Higher Education Struggles With Securing Digital Integrations
The short answer is that schools struggle because faculty and students often use cloud platforms. As they use Google Cloud or Microsoft Azure for document sharing or for aggregating big data, they send information across more services and education networks, increasing exposure to cybersecurity threats.
Different departments might also use various applications for research or other operations. Each database requires a new API that enables data sharing back and forth; these new service providers and applications increase the data environment’s perimeter.
Academic departments might not communicate effectively with their IT departments. Particularly at large research institutions, the number of applications can be overwhelming. Monitoring all those security issues means engaging in more “cross-campus” conversations.
Why Becoming a Data-Enabled Institution Increases the Security Risks
Every year, new data analytics tools to promote student success appear on the market. The argument goes that the more data institutions collect about their students, the greater their students’ success levels will be.
Those tools gather student data in myriad forms, including student location data and students’ interactions with other students; many times, students might not even realize they can opt out of such data collection. As successful as those tools might (or might not) be for student success, they also put student privacy at risk by collecting all that data.
The bottom line is that higher education needs to focus on securing data as part and parcel of becoming the data-enabled institutions they want to be.
What are the Costs Associated with Cyberattacks in Higher Education?
The Ponemon Institute states that the average cost of a data breach in the education sector was $3.9 million in 2020. Much of that can be attributed to lost productivity or remediation costs. Still, some universities have also been forced to pay a ransom to gain access to sensitive data locked up by attackers.
For example, last year, the University of California San Francisco paid a $1.14 million ransom in Bitcoin to recover important medical research data.
How Attackers Exploit Higher Education Vulnerabilities
There are several possible cyber-attacks on higher education institutions. Some of them are relatively widespread in many sectors. We’ll go over them briefly below.
- Phishing attacks: In this attack, a cyberattacker poses as a trustworthy entity to obtain information from an unsuspecting victim. In this case, a cybercriminal may impersonate a college administrative representative to gather information, such as student or faculty login credentials, and then get access to the institution’s systems to steal essential data.
- SQL Injection: This cyberattack is carried out by introducing malicious code into a website’s query field. On their websites, universities and colleges utilize many question boxes into which users must enter their credentials to access whatever data they want. Cybercriminals can use these devices to insert code into the systems and obtain access to sensitive data.
- Ransomware: Ransomware attacks encrypt victim data and enable hackers to demand a ransom to unlock it. Higher education institutions store student and faculty information and other helpful information relating to prospective research conducted by these institutions.
How can Higher Education Institutions Protect Student and Staff Data?
Higher ed’s data management and governance programs started by using large databases. These single sources of information aggregated in one location were easy to manage and keep secure.
Unfortunately, that model is not sustainable in the modern era. Too many parties (students, faculty, administrators) want easy access to academic information and often process that information on various cloud-based applications, which becomes a headache for data protection.
Data, research, and intellectual property are no longer located in a single location that a single CISO or IT manager can manage. User access and authentication, firewalls, security patch management, and anti-malware/anti-ransomware software must be implemented across a complex IT landscape. The tasks involved must all be managed from one central point to ensure adequate security and compliance with regulatory obligations.
What are Some Ways to Help Protect Student Data Online?
A cybersecurity program in higher education must include the following:
- Training faculty, students, and staff on good cyber hygiene
- A documented and tested incident response plan
- Penetration testing of security measures
- Continuous monitoring for security intrusions
- Guidance from cybersecurity frameworks to remediate weaknesses in your security program and ensure compliance with laws such as the Family Educational Rights and Privacy Act (FERPA).
Finding the Right Cybersecurity Solution for Higher Education
Understanding your organization’s particular cybersecurity demands is critical before selecting a cybersecurity solution. Some questions that may be useful at this point are:
- What kinds of data does your company manage, and how sensitive is it?
- What are the possible threats to your company’s data and systems?
- What level of security do you require?
- How much money do you have set aside for cybersecurity solutions?
- What is the training budget or timetable for your new cybersecurity solution?
Considering the answers to these questions will assist you in selecting the best cybersecurity solution for your organization’s particular needs.
Other factors to consider in your selection include the types of vulnerabilities widespread in your industry and the cybersecurity certifications most commonly utilized or applicable to your organization.
How ZenGRC Enables Higher Education
To help organize their risk management and information security programs, institutions need an automated process for tracking and documenting their security reviews.
ZenGRC provides higher education compliance software that allows organizations to prioritize tasks so that everyone knows what to do and when to do so that stakeholders can more rapidly review the “to-do” lists and “completed tasks” lists.
With our workflow tagging capabilities, CISOs and other IT professionals can assign tasks to the individuals responsible for the activities involved in risk assessment, risk analysis, and risk mitigation.
Finally, with our audit trail capabilities, institutions can document remediation activities to prove that they maintained data security, integrity, and availability to protect student privacy.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.