Protecting Data in University and Higher Education Institutions

When students enroll in a college or university, they trust that institution to keep their data safe. Many schools collect sensitive financial data, as well as data like contact information and personally identifiable information such as social security numbers. Without sufficient security, bad actors could easily gather that information and exploit it.

But how safe is your university’s network? A recent report titled, How Safe Is Your Data? Cyber-Security in Higher Education reveals it might not be as safe as you think. The report, which was a collaboration between the Higher Education Policy Institute (HEPI) and the Jisc Security Operations Centre, revealed that using ethical hacking methods, a team of experts had a 100 percent success rate in gaining access to higher education institutions’ data. Even worse, they were able to do so within a two-hour period.

The data

Jisc kicked off the study in an effort to see just how secure university systems were. Hackers working for Jisc performed a pen test, which probes for vulnerabilities in an entity’s security that an unethical hacker could exploit. The team was able to successfully access information on more than 50 universities, with a 100 percent success rate. In fact, in some cases, the team launched multiple attacks on the same university system.

Cybersecurity is an ongoing challenge for institutes of higher education, with DDoS attacks becoming a regular occurrence across the globe. In one 2018 case, the Department of Justice indicted hackers after an attack spree affected 144 universities in the U.S., as well as 176 universities in 21 other countries.

The problem

A separate Jisc study revealed that students may be largely to blame for these attacks, with issues peaking when school is in session, especially during the workday. As with business breaches, hackers often gain an entrance through social engineering when an employee clicks on a malicious link or downloads unauthorized software from a seemingly known sender.

These security vulnerabilities pose a variety of issues. Perhaps the most important is that they put student information at risk. The Jisc ethical hacking team gained access to universities’ personal information, finance systems, and research networks. If such an attack leads to a student’s identity being stolen, it can cause long-term credit damage and financial issues.

In addition to the risk of identity theft, schools also face the outages that take place during a DDoS attack. If a student has a paper due, a sudden server outage becomes far more than an inconvenience. Faculty and administrative staff also suffer when there’s downtime due to an attack. That type of attack can cost a university financially, not to mention put its reputation at risk.

How institutions can prepare

The first step toward mitigating damage for universities is putting standards in place. BS31111:2018 offers a standard all executive teams, including at the university level, can put in place to keep systems safe. Another reliable standard to follow is the National Initiative for Cybersecurity Education (NICE), a partnership between government, academia, and the private sector.

Using these standards as a guide, a university can create standards of their own, which can then be followed by both leaders and IT team members. HEPI refers to the “CIA triad,” which security experts often follow:

• Confidentiality– Locking down access to only those who need it.
• Integrity– Monitoring data to make sure it remains accurate and unchanged.
• Availability– Being able to access the necessary data.

Outside academia, confidentiality and integrity are the biggest issues in a failure. However, for those in academia, a loss of availability can become a real problem. That means university security teams need to invest time into creating policies and invest in security measures that ensure 24/7 availability of data.

Being aware of the threats most often seen at the university level can also help protect against them. Phishing is an ongoing problem, but today’s savvy attackers are using tricks like spear phishing, which collects data from a variety of sources readily provided by your own end users. That includes passwords and personal data, but they can also pull in information published on social media sites for a socially-engineered attack or exfiltrate data from commonly used tools such as a clipboard.

Having the right security team in place can be the first line of defense, but good analytics can also help you identify where problems exist. If your own security team members have access to all the resources and information they need, they’ll be better able to protect your university from a cyberattack.