Cybercrime Targeting Higher Education: What Needs To Be Done
Logicalis US, an international business IT solution provider, shared important insights this week about how cybercriminals are targeting colleges and universities, plus advice on four ways these institutions can strengthen their cybersecurity programs.
Over the past 10 years, we have reported on countless retailers, credit bureaus, insurance companies and other businesses hit by hackers, with millions of customer data records breached. The IT security pros at Logicalis pose the question "What could be worse?" Well, there's a simple two-word answer, they say: Higher Education.
The key problem for colleges and universities is that they collect very private and diverse kinds of data -- with everything from medical information to financial and credit card data -- and not just about students, but also their parents, and even emergency contacts. There are also applications, transcripts, disciplinary records, and other private information.
"Because of the sensitive nature of the information universities possess, when they are not adequately protected, it's like they're waving a red flag for cybercriminals saying, 'This is the best data -- come and get it'," warns Adam Petrovsky, GovEd Practice Leader at Logicalis US.
As a result, CIOs and Chief Information Security Officers need to be especially vigilant to fend off higher-education cyberattacks, shoring up their IT security to the greatest extent possible.
If the stakes weren't high enough already, Logicalis warns that colleges also need to comply with "at least five major privacy-oriented regulations including the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Children's Online Privacy Protection Act (COPPA), and the Payment Card Industry Data Security Standard (PCIDSS), as well as a host of state-by-state regulations regarding data breach notifications."
Logicalis quotes data privacy experts who estimate that, "through a single incident, a college or university could be forced to contend with as many as 100 different breach notice laws."
Not If, But When
With cybercrime continually on the rise, Logicalis says the industry is now at a tipping point: "It's no longer a question of 'if' a university will be breached, it's a question of 'when' -- and whether or not the school's response will be adequate."
Big schools, smaller schools... all are at risk.
This past summer, UCLA, for example, reported a potential breach of 32,000 student records when a hacker broke into an administration server containing students' personal data. UCLA's Health Services system suffered an even larger breach in 2014, when a database of 4.5 million patient records was accessed by hackers.
Another example cited by Logicalis was the Michigan State University breach in 2016, where a hacker gained access to a database of approximately 400,000 records containing names, social security numbers, and ID numbers. In that case, the University found the breach quickly and took decisive action to shut it down within 24 hours. Only 449 records were actually accessed before authorities were able take the files offline.
The list goes on and on. Back in June 2012, we reported on a database breach at the University of Nebraska. At the time, it was being called the biggest university breach of the year, with sensitive information of more than 654,000 students exposed.
Government agencies and other organizations working with universities also create vulnerabilities for hackers to exploit.
This past April, for example, the IRS announced breach of the IRS Data Retrieval Tool, an online service used by college students to complete the Free Application for Federal Student Aid (FAFSA). The IRS reported that the personal data of as many as 100,000 taxpayers may have been compromised through a scheme where hackers posed as students applying for financial aid.
The cost of any one breach can be enormous. Overall, data breaches in colleges and universities are estimated to cost about $300 per student record. That's according to a 2016 report titled, "Pass or Fail? Data Privacy and Cybersecurity in Higher Education," from law firm McDonald Hopkins working with business insurance company Beazley.
Their report points out that the total cost of a breach for colleges and universities is much higher than the actual dollar amount needed to remedy a breach. The actual total costs involve a number of factors, such as losing the trust of donors that can harm future funding.
Cybercrime is clearly a huge risk for all businesses and for higher education in particular. So the question remains: what can be done to prevent network intrusions and database breaches?
Four Steps To Better Cybersecurity
The GovEd team at Logicalis specializes in these types of services and recommends four primary steps to help colleges and universities shore up their cybersecurity defenses.
First, clarify which information and databases you need to protect, and think about some of the common ways that data could be breached. Consider working with an outside auditor to examine the types of data being stored and where that data is located, such as on campus computers or in the cloud. The audit should identify servers and workstations, as well as laptops and mobile devices, that have access to confidential data.
As part of the audit, also examine the school's existing policies, documentation, and training regarding how to prevent and handle data breaches. Consider how students, staff, and vendors should be informed about safe data-handling policies. Anyone with access to a school's computing systems must remain vigilant.
Keep in mind that, "22 percent of data breaches are caused by an 'unintended' or accidental disclosure of private data, while an incredible 14 percent of data breaches are the result of something as simple as the loss of a portable device that had access to the data."
Those statistics, quoted by Logicalis come straight from the McDonald Hopkins / Beazley research. Their report indicates that (only) 35 percent of data breaches at colleges and universities are caused by hackers or malware. Another 12% are caused by physical loss of non-electronic records, 8% are attributed to "insider" theft, and 1% are related to payment card fraud. The other 8% are attributed to other or unknown causes.
Logicalis explains that, "A Common Security Framework (CSF) -- also known as an IT Security Framework or an Information Security Management System -- is a critical component to any higher education security strategy." It's essentially a blueprint for security protocols.
Government agencies offer a number of CSFs -- such as NIST SP 800, ISO 27000, SANS 20/CIS20, HITRUST and COBIT. Since choosing the best framework can be difficult without prior experience, professional guidance is highly recommended.
When setting data security policies, it's important for schools -- and really all organizations -- to provide access on a "need to know" rather than a "nice to know" basis. Logicalis suggests classifying data into categories (e.g., health info, payment info, grades, etc.) and tightening restrictions on data access by category.
Determine who should have access to sensitive data and who really needs administrative privileges. Logicalis points out that, "Oftentimes, administrative access is granted to department heads or even groups of support people for internal 'political' reasons rather than necessity."
Having a comprehensive, documented, easy-to-implement incident response plan is critical for every institution of higher learning, since sooner or later, breaches do happen.
The incident response plan should specify who is on the team and what steps the security framework recommends. Sound procedures include running incident response drills periodically and keeping response protocols up-to-date. Logicalis suggests that Educause (a non-profit association for higher education IT professionals) offers a helpful library of resources with best practices specific to higher education.
With so much at risk, plus the added complexity of today's government regulations, it is critical for schools to work with IT security experts -- either in-house or hired consultants -- who understand the specific challenges.
For those interested in learning more, the Logicalis GovEd team and other education-industry security experts will be on hand at the Educause 2017 annual conference, running Oct. 31 to Nov. 3, in Philadelphia.