Higher education faces several specific challenges related to cybersecurity which arise due to the nature of educational institutions, their diverse user base, and the valuable data they handle.
“There are constant attacks,” said Larry Wines, director of enterprise risk management and insurance at Ohio University. “At Ohio University we have $5 million in cyber liability coverage.” Universities are prime targets for cyber attacks because they hold millions of records on individuals and organizations. Source: WOUB.org Also see this Forbes article.
Challenges for higher education include:
Open and Collaborative Environment:
Higher education institutions are known for their open and collaborative environment, which can make it challenging to enforce strict security measures. Students, faculty, staff, and researchers often need to share information and collaborate across various networks and systems, increasing the risk of unauthorized access or data breaches.
But why does ransomware target schools? Because Schools Have Limited Protection and lots of honey !
IT departments are often small and stretched thin, leaving little time and resources to implement security protocols and protections. Also, staff typically need more cybersecurity training, making schools a soft target for cybercrime like email phishing attacks.
Large User Base:
Educational institutions typically have a large and diverse user base, including students, faculty, staff, and alumni. Each user may have different levels of cybersecurity awareness and practices, making it difficult to maintain a consistent security posture. This diversity also makes it harder to implement security policies and controls that cater to everyone’s needs.
Distributed IT Infrastructure:
Universities often have complex and distributed IT infrastructure, including multiple campuses, departments, research centers, and cloud-based services. Managing and securing such a diverse and interconnected environment can be a challenge. Each component may have different security requirements, and ensuring consistent protection across the entire infrastructure can be complex.
Mount St. Mary’s College in Newburgh, New York, confirmed on February 9 that it experienced a ransomware attack in December after the ransomware group Vice Society claimed credit for the incident on its leak site.
Bring Your Own Device (BYOD):
Many higher education institutions allow students and faculty to use their personal devices (laptops, smartphones, tablets) for academic and administrative purposes. While this promotes flexibility and convenience, it also introduces additional security risks. Personal devices may not have the same level of security controls as institution-managed devices, making them potential entry points for cyberattacks.
Research Data Protection:
Universities are often involved in cutting-edge research across various disciplines. This research generates valuable intellectual property and sensitive data that must be protected. Safeguarding research data from theft, unauthorized access, or intellectual property disputes is a critical challenge. Universities must balance the need for collaboration and data accessibility with robust security measures.
According to Allan Liska, intelligence analyst at threat intelligence vendor Recorded Future, 131 school systems across the world were attacked in 2020, 162 in 2021 and 177 in this past year. These growing numbers contrast those of other sectors. only sector that was actually up in 2022,” said Liska.
Phishing and Social Engineering Attacks:
Cybercriminals frequently target educational institutions using phishing emails, social engineering tactics, and other forms of social manipulation. Students and staff can inadvertently fall victim to these attacks, compromising their login credentials or providing access to sensitive information. Educating users about these threats and implementing effective security awareness programs are essential to mitigate such risks.
According to the Record, six other universities were also targeted by ransomware attacks in April 2022: Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas and National University College
Compliance and Data Privacy:
Educational institutions handle a significant amount of personally identifiable information (PII), including student records, financial data, and research data. Ensuring compliance with data protection regulations (such as GDPR or CCPA) can be complex due to the diverse data types and various stakeholders involved. Failure to meet compliance requirements can lead to legal consequences and reputational damage.
Addressing these challenges requires a multi-faceted approach involving robust cybersecurity policies, user education and awareness, investment in security technologies, regular security assessments, incident response planning, and collaboration with external partners.