Easy targets. That’s the best way to describe universities and colleges as targets of cyberattacks. Most still operate using legacy systems and infrastructure, and many users, devices, and inadequate cybersecurity policies make them easy prey for bad actors.
Some of the most prestigious institutions you’ve heard of have been victims: Cornell University, New York University, University of California at Berkeley, and Howard University, to name a few. And some you may never have heard of, such as Lincoln College in Illinois. The 157-year-old HBC, which survived the 1918 influenza attack but struggled with Covid-19, suffered too many recent blows to keep it afloat. Earlier this year, it had to shut its doors after suffering a severe ransomware attack. It took months for employees to regain access to their systems, and due to disastrously low enrollment projections, it couldn’t recover.
Why are colleges and universities such an easy target? First, many maintain legacy computers and infrastructures, which inhibits comprehensive cybersecurity. Secondly, weak passwords, shared USB drives, email attachments, and remote learning brought on by the pandemic amplified existing challenges. Zoom-bombing, Bring Your Own Device (BYOD) policies, and open-source learning platforms expose a network of already weak institutions. And finally, when you put those together with a paradise of data for a cyber thief –personal and financial information and even health data – these establishments are an enticing target. Seventy-five percent of data breaches in the education sector happen at universities.
These institutions are also easy targets because of who they serve. First, they are teaching and research organizations, so audiences frequently change. Second, the pandemic escalated remote access, so, more students and workers are accessing university systems from home. Many people need to be authorized to access information, and often it’s from a personal device or a location that isn’t within the school’s perimeter. All these circumstances create unique challenges.
At the same time, you have open walls; you also need IT networks to be intensely secure, with access permitted to only authorized users. And since universities handle sensitive information, they are subject to strict compliance requirements, such as PCI DSS for taking card payments, NIST 800-171, and CMMC for federal and defense contracts. Requirements from the Office of Federal Student Aid have made NIST 800-171 a foundational part of their cybersecurity requirements.
How can an organization with a large attack surface be open to a constant flow of users and simultaneously be secure to adhere to compliance requirements? This is a challenge these institutions face daily.
Here are three ways to approach the dilemma and minimize the impact of a possible breach:
Adopt a zero-trust philosophy. Zero trust is a mindset. It requires thinking not if but when a breach will occur. It entails believing your network, applications, or other devices are not secure. As a result, access control enforcement needs to be made as granular as possible. This includes continuously assessing the state of all critical devices within the network and not just testing a small subset. Sampling has traditionally been seen as enough to ensure devices are configured correctly. As technology now permits all devices to be audited, this is now recommended as best practice. It also means you need to keep the network resilient. This way, when a breach occurs, you can minimize the impact.
Maintain proper cyber hygiene. Getting the basics right keeps the network healthy and minimizes opportunities for attackers. It’s critical to stay on top of patching and identifying misconfigurations on the network. An important task to keep hygiene levels high is configuration auditing. Assessment tools help you identify vulnerabilities in switches, routers, and firewalls, and it’s important to monitor all devices on as near to a continuous basis as possible. You should choose a tool that gives you remediation advice and exact technical fixes so the problems can be identified and solved quickly.
Segment the network. This is a core principle within zero-trust. It relies on you splitting the network into smaller sections to prevent lateral movement in the event of an attack. This way, the damage is minimal, intruders are blocked off, and only a small part of an operation is affected. Organizations often underutilize network segmentation, but it also makes it easier to manage compliance requirements. You can choose to segment data by the degree of sensitivity and, the regulated data can be split apart from other systems.
Phishing attacks on students are one of the most prevalent tactics and continue to rise so it’s no surprise universities now rank cybercrime as the most crucial risk they face. More than 80% of higher education institutions have experienced at least one successful cyberattack. Today, over 25% of universities admit to the theft of highly confidential data stolen, including national defense, medical research, and medical records. The University of California Los Angeles’ health system saw hackers access records of over 4.5 million patients. As a renowned research establishment, its data is plentiful and desirable to bad actors. These stories will continue to be told if establishments fail to protect their networks to the highest degree. A zero-trust mindset will help organizations stay protected and eliminate the enormous target that sits on their backs.