Cyber criminals are targeting educational institutions, especially colleges and universities. Thus far, 2016 alone has seen a reported 53 educational breaches, exposing as many as 366,196 records of students and staff. These stats are frightening, as they contend with 2015’s yearly total of 63 breaches in only six months.
One recent attacker demanded the University of Calgary pay a ransom of $20,000 in Bitcoin to decrypt files that had been infected by a virus on over 100 university computer systems. Because the university had not consistently backed up their data properly, they were forced to pay the ransom. Other universities that have made headlines with major breaches this year include: the University of California Berkeley, University of Central Florida, and Southern New Hampshire University.
With so much private information about students and staff cycling through the computer systems of large institutions each year, you would think that online security in higher education would be a bigger priority. But the numbers of breach so far this year suggest otherwise. It’s not that universities neglect the possibility of breach or don’t care about it, but as Michael Borohovski told Bluefin, “they [probably just] don’t know it’s a problem or they’re simply not catching it in time. Despite the frequency of attacks, many schools just aren’t prepared to defend themselves.”
Henry Gass with The Christian Science Monitor commented on the challenge of defending large educational institutions against cybercrime when writing about the hack at UC Berkeley: “First, the transient nature of the student body means new devices are constantly entering and leaving the university system. The academic environment also typically encourages the free flow of information, leaving them more vulnerable to attack… The combination of large stores of important data… and often weak online defenses mean colleges and universities are attractive targets for hackers around the world.” Ultimately, with so many people sharing large quantities of important information all on one system, it can be difficult to promise the safety of every student or staff member in the system.
Administrators in higher education take pride in the open and welcoming aspects of their networks. Fred Cate, from the Indiana University Center for Applied Cybersecurity Research told University Business, “We want our faculty and our students and our public and our donors to connect pretty easily to us.” The “academic environment” in higher education is a fruitful market for BYOD devices, the use of third-party services (like DropBox), and the transferring of information through less-secure devices (a thumbdrive). And, like Cate said, institutions invite anyone affiliated with that university access to its network.
So while these options are definitely convenient for users, it makes it harder for IT professionals to track and secure sensitive information across such a large array of communications and connection. Consequently, the likelihood for attackers to find holes in the system is much greater than if universities were to prioritize the protection of their networks with more secure protocol.
The goal of any type of institution should be to prevent a breach. While education and awareness is the foundation towards greater protection on the web, educational institutions should heed the following three steps immediately to protect their networks from future breach:
Educational institutions can’t promise their systems will not be hacked, but they can take precautionary steps towards better security. Following these steps and educating students and staff about what to look for in an attempted attack will help keep breaches at bay.