A cyber-risk framework is a necessary component for colleges and universities to be able to connect securely to virtual systems within a safe and supportive educational setting. Students of all ages are increasingly receiving their education in digital formats, particularly at the college level. Higher education relies on an open and collaborative culture to deliver the finest degrees and to maintain a strong reputation.
Colleges and Universities Are Vulnerable to Cyber Risks
Faculty, administration, students and visitors need continual access to digital information-sharing. Colleges and universities are relying on software solutions to manage their infrastructure and faculty functions. Most colleges have extensive data repositories for storing vital scientific and academic research. All colleges store personally identifiable information on students, faculty and staff, and some also retain information on patients and research participants as well.
Sensitive information is a minefield for cybercriminals. Small schools are just as much at risk as larger schools. Colleges and universities were purposely designed to be open environments to allow for unlimited sharing of information. Visiting professors and speakers are the norm.
The openness that college and universities require for academic learning makes developing cybersecurity and other kinds of security programs inherently difficult. Colleges and universities tend to be large communities, which also makes security challenging.
CISOs and CIOs must develop multilayered infrastructure systems with varying levels of access and connectivity to protect colleges and universities with robust information technology networks. This process entails being able to identify potential threats, creating a culture of cybersafety, bolstering cybersecurity and developing appropriate response systems.
Cyberattacks and Data Breaches in Higher Education Are Frequent and Costly
Colleges and universities face many of the same types of cyberattacks as other industries. The most common types of attacks are:
- Phishing attacks
- W-2 scams
- Ransomware attacks
- Data breaches
- DDoS attacks
Cost of Cyberattacks
Colleges and universities retain hundreds of thousands of records. According to Ponemon’s 2018 Cost of Data Breach Study, the average cost to schools of a compromised record with personally identifiable information is $148. It’s easy to see how the cost of a breach could be in the billions or trillions of dollars.
In addition to the risk of vast financial loss, colleges and universities must follow many state, federal and local laws. An unexpected data breach could place a higher education institution at risk of being in noncompliance with important regulations such as FERPA, HIPAA, HITECH, COPPA and PCI DSS. CISOs and CIOs must be familiar with these laws and regulations when creating cybersecurity plans, policies and procedures for faculty, administrators, staff, students and visitors.
Examples of Cyberattacks on Colleges and Universities
You don’t have to go too far back to find incidents of colleges and universities that were affected by cyberattacks. Here are a few examples:
- 2017 Boston University: WannaCry ransomware attack where criminals received ransom of over $130,000.
- 2017 College of Southern Idaho: W-2 phishing scam affected records of 3,000 seasonal and auxiliary employees.
- 2017 Daytona State College: W-2 scam and data breach of financial aid records.
- 2017 Los Angeles Valley College: Ransomware attacker took over campus email system and computer network, asking for $28,000 in bitcoin payments.
- 2017 Rutgers University: A former Rutgers student was responsible for multiple DDoS attacks over two years.
- 2017 University of Alaska: Phishing scam caused a breach of 25,000 student, staff and faculty records, including Social Security numbers and names.
How to Create a Cyber-Risk Framework at Colleges and Universities
According to Jason McNew, CEO and certified information systems security professional, cybersafety and cybersecurity are fundamental issues for colleges and universities. He advises schools to take a multipronged approach to cybersecurity that incorporates the culture at their institutions.
Creating a Cybersecurity Culture
McNew suggests that CISOs and CIOs of colleges and universities create a cybersecurity culture that coincides with the safety culture they already have. He recommends that colleges find ways to involve everyone in cybersecurity, such as putting up cybersecurity posters next to other safety posters, training users on security and conducting security drills.
In addition, McNew recommends that CISOs and CIOs assess security threats by performing a full data security audit in order to prevent cyberattacks. The audit should include an examination of infrastructure, organizational policies and user training. An audit will help them to better understand potential sources of attacks and leaks. A third-party expert can be instrumental in conducting a successful audit.
Colleges and universities should be taking the same precautions as other industries. This means taking advantage of the latest technological enhancements and optimizing current technology. College IT experts must stay current with the latest security patches and updates and move email systems and document storage to more secure, cloud-based technologies.
College boards should be using a highly secure board management software system, such as the one offered by BoardEffect. BoardEffect is an expert provider of board portal software for colleges and universities using state-of-the-art security features.
Taking Action to Strengthen a Cybersecurity Plan
An audit allows CISOs to upgrade and enhance their cybersecurity plans. IT experts recommend colleges and universities to follow the robust criteria suggested by the National Institute of Standards and Technology (NIST) cybersecurity framework. The Higher Education Information Security Council also launched the HEISC Information Security Program Assessment Tool, which is freely available.
Cybersecurity systems for college and university campuses should include automated deployments for data security, threat response and resilience. Since security breaches often result from internal actors in situations where a staff member, administrator, faculty member, student or visitor falls victim to a phishing or malware scam, IT experts advise colleges to institute stronger credentialing for administrator roles and to incorporate cybersecurity-focused user training wherever possible. CISOs and CIOs should also maintain regular schedules for testing and drills to catch any new viruses or cyberattack approaches.
Some Final Words on Creating a Cyber-Risk Framework for Higher Education
Cybercriminal activity is becoming increasingly sophisticated, making it difficult for CISOs to keep pace with protective efforts. The open environments on campuses create extra challenges. College boards should be aware that they must do their part to keep board work secure and confidential. They must also accept the fact that CISOs can’t do the job sufficiently on their own. A sound cyber-risk framework requires training all members of the campus, conducting audits at least annually, performing regular drills and testing, and creating a culture of cybersecurity much like their other campus safety programs.