What cyber threats do higher education institutions face?
Higher education institutions are prone to cyber attacks. Elements such as open networks, large volumes of data and freedom of public access expose them to a variety of cyber threats and risks — and there are plenty of examples that can help institutions anticipate and prevent breaches.
Recent research has identified that, every hour, one-third of universities in the UK alone are hit by a cyber attack. And cyber threats and risks are challenges that will only grow as cyberspace continues to evolve. In order to secure higher education institutions, it is important for their decision-makers to understand the potential threats. Here are just a few examples:
Pennsylvania State University, US, May 2015
- The College of Engineering was targeted by two sophisticated cyber attacks that compromised servers containing records relating to 18,000 people. The attacks had been undetected on the college’s network for some time.
- At least one of the two attacks was carried out by threat actors in overseas territories.
- The attack resulted in the network being unavailable for three days.
University of Maryland, US, March 2014
- A cyber attack targeted the university’s network, compromising 287, 580 records of students, faculty, staff and affiliated personnel.
- The database breach affected everyone who had been issued a university ID between 1998 and February 2014.
Multiple Japanese universities, July 2015
- The networks of six Japanese universities came under simultaneous cyber attacks.
- On the same day, one of Japan’s banks was also hit by DDoS attacks.
- One university said 360 email addresses may have leaked, while another may have lost ID numbers relating to its website admin.
University of Delaware, US, July 2013
- A cyber attack on a computer system exposed the identities of more than 72,000 people.
- Hackers exploited a vulnerability in web-based software used by the university and stole names, addresses, social security numbers and university IDs of current and past employees.
King Saud University, Saudi Arabia, January 2012
- The official website of King Saud University (KSU) was hacked by an unknown hacker.
- A database of 812 users was hacked, and the contents were dumped on a file-sharing site.
- The data included mail addresses, mobile phone numbers and passwords.
Concordia University, Canada, March 2016
- Keyloggers, hardware devices that can capture personal data by tracking keystrokes, was found on some workstations in two of the university’s libraries.
- The breach potentially impacted anyone who had used the affected computers in the past year
Challenges to protection
Protecting the security of information and IT assets has always been challenging, mainly due to the unique environment and industry in which these organizations operate. Detailed here are some of the challenges that affect the ability of higher education institutions to plan and defend against cyber attacks:
- Decentralized IT and information security practices, which are the result of various faculties running their own IT and security departments, cause the enforcement of streamlined security practices to become very difficult.
- Freedom of information is woven into both the higher education sector and academic culture. One of the consequences of this is the prevalence of open networks, which may not be properly monitored for unauthorized access, unsafe internet surfing habits and malware infections.
- Insufficient resources, specifically information security funding challenges, are typical in many higher education organizations and prevent them from implementing the necessary controls to battle rising cyber risks.
- Campuses are the ultimate “bring-yourown-device” (BYOD) environments, and there is a plethora of unrestrained devices. This results in the campus IT staff having limited ability to control what machines are connected to the campus network and manage their security controls. The effect is a dramatic increase in the attack surface for the entire institution.
- Various faculties usually have computing devices used for projects or to store scientific data. In many cases, these devices may be procured by each faculty independently without following formal security architecture guidelines. Unstructured data, generated and processed by these computing machines, is very hard to locate, classify and safeguard.
- Insufficient physical security results in institutions being unable to determine the original attack vector for security incidents that have a physical element.
- The lack of threat intelligence collection and sharing between universities and colleges means that these institutions remain unaware of the emerging threats.
The offline legacy of cyber attacks
Cyber attacks against higher education institutions can have an operational, reputational or financial impact, depending on the nature of the attack.
Identity theft can result in reputational damage, and could subject the institution to regulatory fines and attention, while reputational attacks themselves can have a significant negative impact on competitive advantage.
It goes without saying that financially motivated attacks, such as ransomware, can have a significant financial and operational impact on the higher education institution. But cyber attacks of any kind can also result in a loss of confidence in the institution among current staff, faculty, students and prospective students.
For these reasons, higher education institutions should implement proper controls that safeguard the institution’s most valuable information — as well as its reputation