Threat of data breaches keeping you up at night?
- Colleges are target-rich environments for hackers
- The first step in protecting institutional data is to understand six key threats
- The next step is to reduce risk by making smart, sustained investments in planning, policymaking, auditing, technology upgrades, and education
If protecting a seemingly endless accumulation of data keeps you up at night, you’re not alone. For the third year in a row, information security tops Educause’s annual list of Top 10 IT issues, as ranked by both IT and non-IT leaders across higher education.
That’s why we’ve launched this six-part blog series, “Infosec Tips for Higher Ed.” We’ll talk about the challenges of continuing to provide all of the services your stakeholders expect, while at the same time taking the steps required to protect the vast amounts of data they’re sharing and storing within your institution.
This first blog is about the top information security threats facing higher education. Future blogs will cover how to assess your own vulnerabilities, develop a comprehensive security plan, improve internal awareness, and more.
Ultimately, the challenge we all face is that the threats are constantly growing and changing. So there will never be a single, static solution, and the work will never be done. But we can certainly minimize risk by making smart, sustained investments in planning, policymaking, auditing, technology upgrades, and education. So let’s get started...
Top information security threats facing higher education
It’s not hyperbolic to say that we live in a dangerous world. Hardly a week goes by without a media report of a data breach that exposes personally identifiable information. According to Symantec, more than 7.1 billion identities have been exposed in data breaches over the past 8 years.1
Higher education institutions are particularly attractive targets for hackers, because they have so many different kinds of data, often in large quantities—everything from social security numbers, financial data, and medical records to high-value research and intellectual property.
The first step in protecting your institutional data is to understand the threats. Here’s a list of what I see as the top 6 currently facing higher education.
1. Malware (spread through phishing and malicious web sites)
In higher education, the largest proportion of reported breaches fall into the hacking/malware classification (36%).2 A few helpful definitions:
- Malware (malicious software, such as a computer virus, spyware, ransomware, etc.) is created by hackers to gain access to computer systems. Once installed, the hacker can steal sensitive data or disrupt operations.
- Phishing is the process by which a hacker delivers malware or simply tricks the victim into giving up personal information directly. Disguised as a trustworthy party, the hacker contacts victims through email, instant message, social media, or a malicious web site designed to look legitimate and gets them to either (1) click on a link (which installs malware onto the computer or network) or (2) give up sensitive information, such as usernames, passwords, and credit card details.
An example of phishing might be a fake email from “FedEx” asking you to click on a delivery tracking number to provide missing information. When you click, malware is installed on your computer. Despite the growing awareness of these kinds of scams, millions of people still fall for them every year.
As hackers get more sophisticated about disguising communications, one of the main weapons institutions have to combat the threat is education. We’ll go into further detail on education and other threat reduction strategies in the next few blogs.
2. Outdated/inadequate technology
As I mentioned earlier, information security threats are constantly changing in nature, scope, and sophistication. It’s hard to maintain adequate technological defenses, even for institutions with significant resources.
At a minimum, keep your existing software up to date. Software providers release patches and upgrades for a reason. It’s critical not only that IT keep applications current, but that employees and other end users install updates when prompted.
It can be more challenging, both practically and financially, to add new capabilities in order to keep pace as threats evolve. For example, real time network intrusion detection is becoming critical, but many institutions still lack this technology. If you have limited resources, it’s important to prioritize threats and investments—something I’ll address in the next blog.
3. Insider threats
Insiders, whether employees or trusted business partners, can pose as big a threat to information security as outside hackers.
Insiders know the most about the inner workings of the institution, and most have access to at least one or more systems with personal data. If you have a lot of data under the control of just a few insiders, you’re at even greater risk—particularly if you lack checks and balances or a clear separation of duties.
Complicating things further is that some data breaches caused by insiders are unintentional. In addition to falling prey to a phishing attack, an insider may attach the wrong file to an email, lose a laptop or USB drive, do secure work on a public Wi-Fi network, use an infected mobile device on the corporate network, or unknowingly provide compromising details on social media.
And finally, third party partners that access or store your constituents’ data can also pose a threat, whether intentional or unintentional. It’s critical that you conduct due diligence on a partner’s security policies and protocols—and include them in your ongoing auditing process—because you are ultimately responsible for any breach of your data, regardless of who is at fault.
4. Lack of awareness and education
Research from Educause shows that from 2005 to 2013, nearly half of all higher education data breaches had underlying "human element" causes.3 That’s one reason technology will never solve all of our security problems.
Whether it’s training faculty and staff to avoid phishing scams or improving awareness of what constitutes “sensitive information,” education is one of our most important weapons against data breaches.
Some employees are completely unaware of how valuable even partial information may be to potential hackers or that the institution’s most important property may be intellectual, not physical.
Others may complete IT security training and yet still not bother to create strong passwords or encrypt sensitive files. After all, it’s easier to change awareness than behavior.
To mitigate some of the largest threats to data security, your cybersecurity training program must be both comprehensive and ongoing. I’ll provide more tips on creating an effective education program in a later blog.
5. Limited resources
Even if you’ve implemented good security technology and protocols, maintaining them requires an even greater level of time and talent. Unfortunately, many institutions lack the resources to:
- Systematically gather logs and network data for ongoing analysis
- Respond quickly and aggressively to incident reports
- Stay on top of patches and upgrades
- Monitor systems controlled by departments other than IT
- Recruit highly qualified IT staff as needs change
- Provide ongoing training
As higher ed increases its understanding of the magnitude and nature of the threats—as well as the solutions required—the resources dedicated to information security will continue to increase.
6. Higher education’s commitment to the open exchange of ideas
Higher education has a long and admirable commitment to the open exchange of ideas and information—one that we must preserve in order to advance learning and innovation. But this culture can work against an institution when it comes to data security. So we need to find a balance.
When designing new systems, it’s important to think as much about how to protect information as how to share it. For example, collaboration may be key when conducting potentially life-changing medical research or managing early alerts and interventions to improve student success. But if you don’t address information security from the outset, you could end up with a system that’s not optimized to comply with fast-changing regulatory and privacy requirements. The result will be not only inefficiency, but the possibility of incurring financial penalties or compromising your reputation.
In the next blog...
Once you have a better understanding of the threats, it’s time to assess which pose the biggest risk to your institution and how vulnerable you are.
In the next blog, I’ll provide a framework for conducting an internal assessment and ranking threats by priority. Once you do this, you’ll be one step closer to creating an information security plan of action (blog #3).
Follow the blog series and leave a Comment below if you have additional insights that could help other institutions reduce risk.
2 ECAR: Just in Time Research: Data Breaches in Higher Education, 2014