• Product
      • ROAR Platform
      • ZenComply
      • ZenRisk
      • ZenGRC Platform
      • Risk Intellect
      • Pricing
    • Solutions
      • By Industry
        • Technology
        • Financial Services
        • Hospitality
        • Healthcare
        • Government
        • Education
        • Retail
        • Media
        • Insurance
        • Manufacturing
        • Oil & Gas
      • By Framework
        • Popular
          • ISO
          • PCI
          • SOC
          • COSO
          • SSAE 18
        • Privacy
          • CCPA
          • GDPR
        • Health Care
          • HIPAA
        • Government
          • NIST
          • FedRAMP
          • FERPA
          • CMMC
          • FISMA
        • Finance
          • SOX
          • COBIT
    • Success
      • GRC Experts
      • Customer Success
      • Services
    • Resources
      • Resource Center
      • Reciprocity Community
      • Newsroom
      • Events
      • Blog
      • Customer Stories
      • Content Registry
    • Company
      • About Us
      • Contact Us
      • Careers
      • Leadership
      • Trust Center
      • Partners
    Try it free
      Get a Demo Try it free

        Top Emerging Risks in Higher Education

        Published December 17, 2021 • By Reciprocity • Blog
        Image

        In 2017 hackers launched a phishing campaign against Canada’s MacEwan University and defrauded MacEwan out of nearly $11.8 million. Although more than 90 percent of the stolen funds were subsequently recovered, the incident still embarrassed the university and is one of the most notorious cyberattacks in the higher education sector.

        More recently, a 2020 study found that U.S. schools, colleges, and universities have experienced more than 1,300 security breaches since 2005, leading to the exposure of roughly 24.5 million records.

        Another report reveals that in third-quarter 2020 alone, the number of weekly attacks per U.S. educational institution increased by 30 percent, while attacks against other sectors grew by only 6.5 percent.

        In cybersecurity circles, attacks against healthcare, technology, retail, utilities, and government get a lot of attention; threats against higher education seem to fly under the radar. The higher education sector, however, collects just as much sensitive data and has just as many vulnerabilities as other sectors — so higher education security cannot be ignored.

        • What attracts cybercriminals to attack colleges and universities?
        • What are the typical higher education risks from a cybersecurity perspective?
        • What are the potential consequences of neglecting cybersecurity risks?

        Read on for the answers.

        Why the Education Sector Is an Attractive Target for Cyberattacks

        So why are cybercriminals attracted to the education sector? The answer comes in one word: data.

        Educational institutions, and particularly higher education institutions such as universities, generate and hold massive quantities of data, including:

        • Personal data about students, faculty, and staff
        • Proprietary information about financial, healthcare, military, and emerging technologies from both for-profit organizations and government departments
        • Research data

        This data is valuable to cybercriminals, and its loss is expensive to the institution. The average cost of a data breach in the education sector reached $3.9 million in 2020.

        Elementary and high schools are just as vulnerable to data breaches. In 2021, ransomware gangs published data from more than 1,200 American K-12 schools on the dark web. In September 2021, NBC News analyzed a trove of such information, including students’ (minors) names, dates of birth, and Social Security numbers.

        The Ransomware Problem

        Institutions of higher education can also have their systems held hostage by threat actors launching ransomware. If the ransom isn’t paid quickly, attackers often publish the data online, ruin IT systems, or both.

        In 2019, more than 1000 U.S. schools were hit by ransomware, with an average ransom demand of $115,123. In 2020, the average ransom jumped to $312,493. The University of California, San Francisco paid upwards of $1 million to ransomware attackers in 2020.

        The Phishing Problem

        Phishing emails are another threat to higher education institutions. One study revealed that almost 90 percent of top institutions fail to protect students and faculty from such attacks, such as by investing in artificial intelligence that systematically detects and flags phishing attempts.

        The education sector is highly vulnerable to cyberattacks, especially due to the lack of attention to cybersecurity investment.

        Common Cybersecurity Risks in Education

        In one frequently shared article, Brian Kelly of Educause says that data breaches “are among the greatest sources of risk for higher education institutions.” He also says that as the world keeps moving online, cybersecurity risks in education will continue to increase. Here are some of these risks.

        Shift to Remote Learning

        Since COVID-19, educational institutions have increasingly adopted remote learning technologies to maintain learning continuity during lockdowns. While portable devices, internet-based learning modules, and video conferencing apps can maintain the educational experience, they also create cybersecurity risks for schools, colleges, and universities.

        Both teachers and students use personal devices such as laptops, tablets, and mobile phones to teach and learn. These systems store and use valuable data that’s attractive to hackers. Because the devices and the internet connections they use on are often insecure, they are vulnerable to exploitation, ransomware attacks, and data breaches.

        User Carelessness or Lack of Awareness

        People are another chief risk in education. A 2019 study found that 20 percent of college and university faculty are willing to sacrifice the security of their personal devices, but not their convenience or user experience. Such poor cybersecurity hygiene is one reason why there was an uptick in threats and data breach attacks in the education sector in that year.

        Students also don’t consistently know how to manage or protect their data. They may use their school login credentials across social media and use weak passwords to access accounts.

        These careless practices make it possible for hackers to steal credentials and gain unauthorized access to sensitive information in school databases or leverage ransomware attacks for cyber extortion.

        Lack of Information Security Staff

        The shortage of information security workers in higher education institutions results in a lack of cybersecurity investment, education, and communication. Current information security departments are understaffed and don’t have the bandwidth to communicate the consequences of using insecure devices and inadequately protecting valuable data.

        Adoption of Cloud-based Platforms

        The cloud and SaaS platforms are yet another significant risk in higher education information security. As more schools, colleges, and universities place more data in the cloud, they are more vulnerable to data theft or compromise. This risk increases when users access remotely — that is, from outside the institution’s network, from insecure devices and WiFi networks.

        Moreover, institutions, students, and educators use multiple SaaS-based services and cloud-based platforms to share documents, teach, learn, and communicate. As a result, they send information across even more services and education networks. With the increasing prevalence of such “borderless networks,” the cyber threat surface expands.

        Outdated Technology and Poor Cybersecurity Practices

        Many schools still use legacy tech systems and outdated software applications that attackers can easily exploit. Some also neglect critical security practices such as:

        • Routine network monitoring
        • Deploying intrusion detection systems (IDS) and endpoint detection and response (EDR) systems
        • Software patching
        • Password discipline and strong password policies
        • Multi-factor authentication, password managers, and single sign-on (SSO)
        • Cloud vendor management
        • Verification of vendor compliance with regulations such as the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection Regulation (GDPR)
        • Privacy management tools and institutional audits of compliance with privacy regulations

        The negligence of basic security standards results in significant risks for educational institutions.

        Consequences of Not Managing Risks in Higher Education

        Needless to say, a failure to manage cybersecurity risks leaves educational institutions vulnerable to all kinds of cyberattacks, including:

        • Ransomware
        • Phishing
        • Hacking
        • Spoofing

        Such attacks can impose significant financial costs on the institution. The total cost could include the expense of security event remediation and investigation, ransom demands, refund demands, monetary penalties from education regulators, and productivity losses due to disruption.

        Attacks can also prevent students, faculty, staff, and other stakeholders from accessing critical learning and financial systems. Educational and other operations that need to operate on a strict timeline can come to a crashing halt.

        The breach of sensitive student or research data (especially if it ends up on the dark web) can erode trust in the institution, affecting its reputation. It can also seriously harm its regulatory compliance and invite punitive measures that can both affect its financial position and increase reputational risk.

        Minimize Risks to Educational Institutions with ZenGRC

        To protect themselves from cyber threats, educational institutions must minimize their risk by establishing a robust security policy, upgrading their cybersecurity ecosystem, implementing threat detection systems, and educating users on cybersecurity best practices.

        ZenGRC is an enterprise risk management (ERM) platform that helps you manage the risk assessment and ongoing initiatives. It is a single source of truth for document storage, automated workflows, and insightful reporting. The comprehensive view of the information security ecosystem supports continual compliance evaluation and monitoring to mitigate risks.

        With ZenGRC, schools and universities can confidently manage cybersecurity risk and compliance and strengthen their risk profile. Schedule a demo to learn about ZenGRC’s intuitive and easy-to-use platform.

        Latest Blog

        View All
        Image
        Get a Head Start on Your PCI DSS v4.0 Overhaul

        Recommended

        Image
        How to Choose a Compliance Management Tool
        Image
        How to Assess and Improve Your Cybersecurity Posture
        Image
        How to Avoid the Common Risks of Implementing New Software

        GRC tips straight to your inbox

        Sign-up for the GRC Weekly Digest email featuring new blogs, GRC events, industry research, and more.

        Thank you for signing up for our newsletter! GRC Expertise is on its way!

        Recommended

        image
        Security

        10 Common Types of Phishing Attacks and How to Identify Them

        Read more
        image
        Security

        Top 5 Best Internal Controls for Cyber Risk Mitigation

        Read more
        image
        Risk

        How Deep Learning Can Be Used for Malware Detection

        Read more

        Get Cyber Risk Clarity Free and Easy

        ROAR Platform: Try it Free
        Reciprocity Logo
        Product
        • ROAR Platform
        • ZenComply
        • ZenRisk
        • ZenGRC Platform
        • Risk Intellect
        • Pricing
        Solutions
        • Industries
        • Frameworks
        Success
        • GRC Experts
        • Customer Success
        • Services
        Resources
        • Resource Center
        • Reciprocity Community
        • Newsroom
        • Events
        • Blog
        • Customer Stories
        • Content Registry
        Company
        • About Us
        • Contact Us
        • Careers
        • Leadership
        • Trust Center
        • Partners

        (877) 440-7971

        Contact Us

        (877) 440-7971

        Contact Us

        © 2022 All rights reserved

        Privacy Policy