Institution with hooded figure

A peek at Microsoft’s Global Threat Activity tool may surprise you. In the past 30 days, the Education sector has reported more malware encounters than any other industry. With nearly 6 million threats in Education alone, the Retail and Consumer Goods sector is a distant second with under 640,000 incidents. But why on Earth would hackers target learning institutions, especially universities?

Universities and colleges are easy targets. As early adopters of computers and the internet, many Higher Ed institutions still maintain legacy computers and infrastructure that limit the implementation of adequate cybersecurity. While shared USB drives, weak passwords, and email attachments have long been entry points into university networks, the pandemic-induced scramble to remote learning intensified cybersecurity challenges. Bring Your Own Device (BYOD) policies, disruptive class Zoom-bombing, and flaws in open-source learning platforms have made universities more vulnerable than ever.

Easy targets aside, the most compelling reason is data

Research data is prized data

Universities house massive amounts of data. Student records alone contain personal, medical, and financial information. Data collected by research universities in partnership with government agencies like NASA, the National Institutes of Health, or even the military is particularly sensitive. A university breach could plausibly lead to compromised national security. 

Sound farfetched? Some of the United States’ most prestigious universities have been the victim of cyberattacks, some by Russian bad actors. Cornell University, New York University, and the University of California at Berkeley have each experienced a significant cyberattack. Howard University had more than 80,000 patient records breached in a ransomware attack. And Lincoln College, a 157-year-old HBC that endured the 1918 influenza pandemic but struggled with enrollment during the early days of COVID-19, shuttered after a ransomware attack in December 2021.

3 boxes: private college; large university; and state school

Not surprisingly, phishing emails continue to be the most common cyberattack method. After all, why change a tactic that’s proven to work? Bad actors cast a wide net of phishing emails, hoping for a random click to deploy malware that will capture passwords, usernames, and social security numbers. But stealing a credit card CVV is often a warm-up. Gaining access to valuable information is the goal, even if it takes time. A little data here and there can result in a treasure trove of information — and hackers are playing the long game.

A myriad of regulations and compliance frameworks

Universities must comply with numerous regulations, including the Family Educational Rights and Privacy Act, Title IX, Title VI, the Americans with Disabilities Act, Section 504, HIPAA, and the Freedom of Information Act. In addition to student enrollment, grants, and financial transactions, universities must manage risks related to third parties, vendors, and subcontractors. Security and compliance frameworks help universities protect critical data and manage risk but add to the complexities of coordinated cybersecurity efforts.

The spreadsheet reality

Universities often prioritize athletics and donor demands over cybersecurity, leaving IT departments to make do with spreadsheets to track security and risk — creating enormous headaches for IT teams. On the surface, spreadsheets make sense: rows and columns of approvals, authorizations, categorizations, and reconciliations can be quickly sorted and even visualized by some spreadsheet applications. The spreadsheet reality, however, is starkly different. At best, multiple stakeholders from other departments or colleges within the university system make updates directly into a shared spreadsheet. But a single ‘Save As’ can set off a chain reaction of duplication and inaccuracy. The burden on IT teams to compare rows, cells, and sheets to ensure a single source of truth creates undue work, leading to employee fatigue and burnout. And with every spreadsheet iteration comes added room for error. More importantly, it’s a woefully inadequate defense against cybercriminals.

Viable options exist to manage cyber risk without a significant investment of money. A compliance operations platform can manage cybersecurity evidence collection and monitor controls through automation and analytics. Accelerated risk assessments for vendors and controls mapped to specific risks help IT teams manage critical cybersecurity issues more effectively. Although bad actors are the aggressors in an attack, universities are ultimately responsible for securing their networks and should carefully evaluate platforms for customizations, features, complexities, and scalability. Ultimately, the goal is to reduce the risk of cyberattacks, which can result in data breaches, reputational damage, financial loss, and operational disruption. A well-planned, adequate cybersecurity strategy is essential to the continued success of universities and colleges.

A vector person holding up a trophy in front of a government building

Critical infrastructure, critical data

Universities are critical infrastructure, being “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” They educate, develop, and produce scientists, physicians, economists, historians, and engineers. Universities contribute to innovations in technology, space exploration, and the advancement of society. But even at their most secure, universities are vulnerable targets for cyberattacks due to the sheer amount of prized data they maintain. Universities must prioritize actionable cybersecurity strategies to meet the future on its terms. If cybercriminals have no qualms about influencing a presidential election, they won’t hesitate to scale up their efforts to steal some of the world’s most sensitive data.

Monthly Newsletter

Get the Latest on Compliance Operations.
Subscribe to Hyperproof Newsletter