The battle for cybersecurity in higher ed doesn't need to be a losing cause


For the past several years, we’ve seen a number of cybersecurity breaches and attacks targeting healthcare operations, government organizations and financial institutions. However, when it comes to ransomware, the education sector is at the top of the list.

According to a recent report by BitSight Insights, “The Rising Face of Cyber Crime: Ransomware,” 13 percent of education institutions studied by the company had experienced ransomware attacks on their networks in the last year. For comparison, the government was at 5.9 percent, healthcare at 3.5 percent and financial services at 1.5 percent.

Not surprisingly, higher education saw the most attacks within the education sector. In fact, Coalfire Systems, a cybersecurity firm, has said 17 percent of data breaches occur in higher education. And per the Beazley Breach Insights 2016 report, higher education institutions have been affected by ransomware more so than others.

Why are higher education institutions such a popular target for ransomware and other cybersecurity breaches and attacks? Plenty of reasons:

  • Openness of campus IT infrastructure
  • Widespread use of social media by students
  • Lack of the security protocols common in many corporate settings
  • Smaller IT teams
  • Tight budgets
  • More file sharing on their networks
  • Growth of mobility and BYOD use on campus
  • Many colleges, universities and hospitals have a research focus, which can produce valuable information hackers can seize

That’s not to mention colleges and universities are often run like mini-cities, which means they face threats across a wide swath of other verticals including financial services (banks on campus), retail (stores and restaurants on campus), healthcare (on campus clinics and medical schools) and gaming.

IoT is Adding to Security Challenges

Another factor that’s likely to play an outsized role is the Internet of Things. IoT is perhaps one of the most tangible and exciting examples of how networking can be leveraged to gather analytics, introduce more automation and simplification, and create more visibility into the operations of these internet-connected devices. It’s a massive growth area in technology — with predictions ranging from 28 billion to more than 50 billion connected devices globally by 2020 — that has important implications for the research and education community.

Unfortunately, IoT’s growth also means it’s a breeding ground for malicious cyber behavior — particularly given, to quote a recent Bitdefender report, “IoT devices can’t always support complex and evolving security algorithms…or they don’t include long-term support or automatic firmware updates despite being created with longevity in mind.” Even the most basic security steps, like changing the device’s arbitrary password assigned by the manufacturer, isn’t happening.

Because of these weaknesses, we recently saw one of the largest DDoS attacks in history against prominent security blogger Bryan Krebs. Bad actors were able to turn unprotected IoT devices like webcams, routers and DVRs into a giant botnet that overloaded Krebs’ servers to the point the site went offline for several days.

This type of a threat can easily translate to higher education — on average, college students bring seven wirelessly connected devices with them to school, and that means added vulnerability to the campus’ network.

How to Manage IT Complexities While Maintaining Security

Well over half of higher education IT decision-makers in a recent national survey say their organizations lack the visibility necessary to pinpoint critical problems across their institutions’ IT systems. In fact, four in 10 respondents said the complexity of IT systems and technology was among the top difficulties they faced.

This is an alarming problem given the number of devices riding college and university networks every day. Trying to monitor each and every device on campus would be impossible for any organization, let alone campus IT staff, who as I mentioned before, are already strapped for resources.

So what can higher education institutions do to combat ransomware and other cybersecurity threats? Here are some tips:

  • This one is obvious, but important to reiterate: Always perform regular backups of business-critical information. If your files are backed up, the extortionists have no power.
  • Educate faculty and staff on what phishing emails are and how they work. Most malware comes through phishing emails.
  • Contact your Internet Service Provider (ISP). Your ISP may have the keys to decrypt your files or can provide guidance of the characteristics of the particular ransomware.

In addition, we find organizations spend too much on security technology, searching for a cyber-panacea, and as a result, are becoming less secure.

Often, when organizations invest in some security product, they think they have “checked the box” on security. However, having a strong security program also means managing security policies and procedures with employees. Security experts in higher education, as with anywhere else, have to manage the security technologies and products and stay up-to-date on governance, compliance and risk standards on an ongoing basis.

Because of this, higher education institutions should explore managed security solutions, which can take significant pressure off their IT staff by pairing them with security experts who can create a customized security solution that addresses their needs. These experts come armed with an arsenal of learnings and best practices, and can help practitioners learn to recognize and mitigate issues as they arise. In addition, security contractors are trained and stay abreast of new security innovations. This heightened sense of awareness can be beneficial to helping make quick course corrections to a security program.

In higher education as with every other enterprise, cost is a concern, but when you factor in the overhead needed to manage a comprehensive security solution, contracting can prove to be a much more cost effective solution.

Embracing the New Normal

Attacks like the one on Brian Krebs’ website will only continue to escalate, both in number and in size, and no one is immune. That said, there are a number of ways higher education institutions and the research community can keep their networks safe while still providing the access and bandwidth needed (and expected) by their students and faculty.

The key is to understand the threat landscape, educate stakeholders, backup important data and if possible, form relationships with security experts and contractors. Cybersecurity is a daily battle, but if higher education institutions take the right steps to safeguard their networks, it doesn’t have to be a losing one.

David Young is regional vice president overseeing the Government Markets Group at Level 3 Communications.