Four Vulnerabilities of Higher Education in IT Security

Although cybercrime has seen steady growth in recent years, 2020 has been a particularly devastating year. Global ransomware showed a year-on-year increase of 715 percent. A quantitative change on this scale suggests that bad actors fully intend on capitalising on changes the global pandemic has brought about, mainly remote work practices and organisations' lack of preparedness as masses of users leave the relative safely of the office environment to work from home.

The education sector in particular saw a 30 percent increase in cyber attacks in the U.S. in July and August 2020, according to a study from Check Point. This figure seems all the more concerning when compared to an average of 6.5 percent increase in all other sectors. It is part of a general trend in increased cyberattacks in education throughout the year, across the U.S.A, Europe, and Asia, which has affected educational organisations all across the board. 

Though cyber attacks are increasingly common, institutes of higher education are understandably reluctant to disclose the details of attacks. Time and again, as news of ransomware attacks on universities and colleges surface, information on the ransom paid or the exact nature of the attack is withheld.

Clearly, cyber criminals have increased their efforts in 2020, and the education sector has been identified as a prime target. High profile attacks on higher education have included the following:

  • Michigan State University was hit by NetWalker malware, which enabled attackers to steal sensitive data, however, the ransom money was not paid. The same university was victim to another breach later in the year, through their online shop.
  • The University of California San Francisco reported the payment of $1.14 million in bitcoin to recover data from the School of Medicine from the NetWalker criminal group.
  • The University of Utah paid a ransom of $457,000 in bitcoin to an unnamed group for a decryption key to return student and faculty data.
  • By breaking into the cyber-assets of the University of Oxford and Samsung Canada, attackers were able to send out phishing emails to Office 365 users. This meant the emails were genuinely from the Oxford University system though the method was fraudulent. A link in the emails redirected users to a webpage asking for their Office 365 credentials.
  • Both Northumbria and Newcastle Universities in the northeast of England were hit by attacks that caused the former to close down temporarily, and the latter to suffer weeks of disruption.

Though higher education institutions are emerging as a prime target for ransomware attacks, the larger part of the increase can be attributed to DDoS attacks. These saw a 350 percent year-on-year increase in the first six months of 2020, according to Kaspersky

One of the biggest causes of cyber attacks in higher education is the various methods of phishing that cyber criminals use to gain access to universities' internal systems, networks, or servers. 

Many see the sharp increase in this kind of attack as an inevitable consequence of the shift to remote access. 

What makes higher education so vulnerable?

Low awareness of cyber threats

It seems that many who have access to universities' networks could be better educated when it comes to cybersecurity. Though they may come from a diverse range of fields of study, it is possible to offer them the same basic training in how to avoid typical mistakes, recognise most common threats. This is especially important as universities use expansive networks that often incorporate external elements of widely varying levels of security.

Unfortunately, a self-reported 54 percent of educators is unfamiliar with the threats of ransomware and common cyber attacks, with as much as 16 percent admitting to a complete lack of knowledge on the subject. Only a small proportion of educators know how to respond to phishing emails or what to do after clicking a malicious link. In addition to this, as many as 30 percent of security breaches in the institutions of higher education surveyed were traced back to “unintentional disclosure” as students were fooled by phishing emails or misused social media. 

The sharing environment

While educational institutions are geared at the open exchange of information, IT security measures aim to restrict access to sensitive data. Across a large organisation, students and teachers often choose to share material that, in legal terms, might belong to the university or third parties. Controlling this information at every level and endpoint can be a considerable challenge for security teams. Including classrooms and on-campus dormitories, universities represent large surface areas for hackers to target. 

Universities and research facilities that work closely with the government could have additional security concerns in terms of national security. Another challenge is to find vendors that can handle organizational issues and protect sensitive data while enabling an appropriate level of information sharing. 

A lack of funding

Institutions of higher education are often dependent on public or private funding, and when funds run low, one of the areas to be hit by budget cuts is cybersecurity. After a year that has already seen a significant reduction in student enrolment, funding will inevitably be more difficult to access. Across the entire network of a university, there are thousands of endpoints that need to be secured and users that need to be properly educated in everyday security practices. This, of course, takes additional funding, which many university and college administrators may struggle to access. 

The demands of compliance

Universities and colleges are often at the disadvantage of falling under the requirements of various sets of regulatory compliance. Those with medical facilities, or even just processing medical records or offering health plans, will need to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA). Those that are using payment card systems to process card transactions can only do so within the constraints of the Payment Card Industry Data Security Standard (PCI-DSS). Institutions that partner with government agencies will need to check regulations like the Federal Information Security and Management Act (FISMA) among others. 

In 2020, institutions of higher education were hit by a wave of cyberattacks in an especially difficult year. This trend is likely to continue in the near future, as colleges and universities hold a large amount of valuable sensitive data and they are relatively likely to pay ransoms. Institutions around the world are presented with a series of challenges in gaining complete control of data, security, and compliance, but with the right tools and organisation these challenges are theirs to overcome.

Learn how the groundbreaking and sophisticated IT security solutions from NewPush can take your organisation to another level of security and compliance.