My comprehensive summary
Higher education institutions influence the business industry, defense industry, financial industry, and especially consumers. Moreover, they often partner with the government and private sector companies for research and funding. Therefore, it is important for institutions of higher education to be proactive, rather than reactive, at developing cybersecurity strategies and implementing effective cybersecurity practices.
Cyberattacks Against Colleges and Universities are Real
A 2017 report by the National Center of Education Statistics (NCES) estimated the higher education sector encompasses 20.4 million students and 1 million faculty. To a would-be hacker, this is a massive number of potential security targets. According to a Moody report, cyber-attacks at universities are on the rise, with financial information being the most common target.
Students participate in much more than just classes while at college. They interact with peers, join clubs, network, and interview for jobs or internships. Throughout these processes, contact information, financial information, and personally identifiable information (PII) is exchanged. Everything from emails to relatives to addresses may be stored. Additionally, many students receive financial aid refunds or get a wage through an on-campus job or work-study program, which means universities store banking information. There is a wealth of PII that cybercriminals might find useful.
Who are the Cyberattackers?
Cybercriminals typically fall into four categories: organized crime, APT, insider threats, and hacktivists.
Colleges and universities have critical times during the year - registration, orientation, final exams, etc. During these times, institutions are particularly vulnerable and any attack may be extremely debilitating and costly to fix. In August 2019, Regis University in Denver experienced an attack that took out phones, email, and the internet at the start of the year. In September 2019, The University of Alabama at Birmingham Medicine had to notify nearly 20,000 patients that criminal hackers gained access to certain employee email accounts containing patient information. The hackers had sent an authentic-looking business survey request email to employees, which served as the point of entry for the phishing attack. In October 2019, DCH Medical Center in Tuscaloosa was the subject of a cyberattack that forced the hospital to carry out some of its procedures manually using paper files instead of using digital information. While the previous two examples were related to patient information in hospitals (one hospital that is connected with a university), these are the same types of attacks that colleges and universities could be subjected to.
Best Practices for Cybersecurity
Cybercriminals are looking for information, whether it is student information, banking information, information related to proprietary research, or employee information, the goal is the same – information. Steps can be taken to improve the cyber- and information-security practices within an organization. Below are three basic practices that can improve cybersecurity within your institution:
Conclusion
Do I personally believe that increased government involvement in cybersecurity practices will lead to a dystopian state where we lose our freedoms of speech and expression? Not really. Honestly, with the speed that the federal government is passing legislation related to cybersecurity, I think that it is only a matter of time before the government becomes very much part of the cybersecurity practices at our institutions. While I’m not entirely sure what this will look like, I think that as cyberattacks increasingly come from foreign nations, the government’s involvement is inevitable. In the mean-time, if we do our part to ensure good security practices, then increased government intervention in our day-to-day operations could be delayed for quite some time.
Cyberattacks Against Colleges and Universities are Real
A 2017 report by the National Center of Education Statistics (NCES) estimated the higher education sector encompasses 20.4 million students and 1 million faculty. To a would-be hacker, this is a massive number of potential security targets. According to a Moody report, cyber-attacks at universities are on the rise, with financial information being the most common target.
Students participate in much more than just classes while at college. They interact with peers, join clubs, network, and interview for jobs or internships. Throughout these processes, contact information, financial information, and personally identifiable information (PII) is exchanged. Everything from emails to relatives to addresses may be stored. Additionally, many students receive financial aid refunds or get a wage through an on-campus job or work-study program, which means universities store banking information. There is a wealth of PII that cybercriminals might find useful.
Who are the Cyberattackers?
Cybercriminals typically fall into four categories: organized crime, APT, insider threats, and hacktivists.
- Organized crime attacks usually involve money as the primary motivator. For example, a university may face a ransomware attack demanding payment in exchange for unlocking system access. Or, a group may be running an operation involving selling answer keys to students.
- An APT or “advanced persistent threat” tends to be more complex. APTs are often groups and not just an individual. These groups may be spies, political manipulators, or thieves. APTs enter a system, undetected, and lurk in systems for extended periods of time. The motivation may be money, but in many cases, sensitive data is the target. These types of attacks are particularly concerning for research universities that partner with high profile businesses and government agencies.
- Insider threats do not always stem from malicious intent but involve an individual inside an organization. Likewise, disgruntled or fired employees have caused to harm a university. Consequently, make sure the credentials of past employees are canceled as soon as possible. Negligence may also result in a security breach and an employee may inadvertently cause a security incident by not following security procedures and best practices.
- Hacktivists are rarely motivated by money but rather promote a cause, like Climate Change or anti-pollution. For universities, hacktivism may manifest as a protest against university actions (like how the university uses its budget). Depending on the severity of the protest, hacktivism can severely impact a university’s operations.
Colleges and universities have critical times during the year - registration, orientation, final exams, etc. During these times, institutions are particularly vulnerable and any attack may be extremely debilitating and costly to fix. In August 2019, Regis University in Denver experienced an attack that took out phones, email, and the internet at the start of the year. In September 2019, The University of Alabama at Birmingham Medicine had to notify nearly 20,000 patients that criminal hackers gained access to certain employee email accounts containing patient information. The hackers had sent an authentic-looking business survey request email to employees, which served as the point of entry for the phishing attack. In October 2019, DCH Medical Center in Tuscaloosa was the subject of a cyberattack that forced the hospital to carry out some of its procedures manually using paper files instead of using digital information. While the previous two examples were related to patient information in hospitals (one hospital that is connected with a university), these are the same types of attacks that colleges and universities could be subjected to.
Best Practices for Cybersecurity
Cybercriminals are looking for information, whether it is student information, banking information, information related to proprietary research, or employee information, the goal is the same – information. Steps can be taken to improve the cyber- and information-security practices within an organization. Below are three basic practices that can improve cybersecurity within your institution:
- Be Selective about Data Collection: Not all information needs to be stored. The formal term is minimization. Minimizing data collection means that if the institution doesn’t have it, it can’t be at risk, meaning lower risk of liability.
- Developing a Data Retention Policy: Purging data means removing data that is no longer relevant. Different types of data will likely have a different retention period depending on the nature of the information.
- Implement Security Controls: Controls aren’t just technical, they can also be administrative in nature. On the technical side, institutions should utilize encryption to protect data at rest and in transit. In order to efficiently apply encryption, universities must take stock of where sensitive data is stored or how it is transmitted.
Conclusion
Do I personally believe that increased government involvement in cybersecurity practices will lead to a dystopian state where we lose our freedoms of speech and expression? Not really. Honestly, with the speed that the federal government is passing legislation related to cybersecurity, I think that it is only a matter of time before the government becomes very much part of the cybersecurity practices at our institutions. While I’m not entirely sure what this will look like, I think that as cyberattacks increasingly come from foreign nations, the government’s involvement is inevitable. In the mean-time, if we do our part to ensure good security practices, then increased government intervention in our day-to-day operations could be delayed for quite some time.