Top Emerging Risks in Higher Education

In 2017 hackers launched a phishing campaign against Canada’s MacEwan University and defrauded MacEwan out of nearly $11.8 million. Although more than 90 percent of the stolen funds were subsequently recovered, the incident still embarrassed the university and is one of the most notorious cyberattacks in the higher education sector.

More recently, a 2020 study found that U.S. schools, colleges, and universities have experienced more than 1,300 security breaches since 2005, leading to the exposure of roughly 24.5 million records.

Another report reveals that in third-quarter 2020 alone, the number of weekly attacks per U.S. educational institution increased by 30 percent, while attacks against other sectors grew by only 6.5 percent.

In cybersecurity circles, attacks against healthcare, technology, retail, utilities, and government get a lot of attention; threats against higher education seem to fly under the radar. The higher education sector, however, collects just as much sensitive data and has just as many vulnerabilities as other sectors — so higher education security cannot be ignored.

• What attracts cybercriminals to attack colleges and universities?
• What are the typical higher education risks from a cybersecurity perspective?
• What are the potential consequences of neglecting cybersecurity risks?

Read on for the answers.

Why the Education Sector Is an Attractive Target for Cyberattacks

So why are cybercriminals attracted to the education sector? The answer comes in one word: data.

Educational institutions, and particularly higher education institutions such as universities, generate and hold massive quantities of data, including:

• Personal data about students, faculty, and staff
• Proprietary information about financial, healthcare, military, and emerging technologies from both for-profit organizations and government departments
• Research data

This data is valuable to cybercriminals, and its loss is expensive to the institution. The average cost of a data breach in the education sector reached $3.9 million in 2020.

Elementary and high schools are just as vulnerable to data breaches. In 2021, ransomware gangs published data from more than 1,200 American K-12 schools on the dark web. In September 2021, NBC News analyzed a trove of such information, including students’ (minors) names, dates of birth, and Social Security numbers.

The Ransomware Problem

Institutions of higher education can also have their systems held hostage by threat actors launching ransomware. If the ransom isn’t paid quickly, attackers often publish the data online, ruin IT systems, or both.

In 2019, more than 1000 U.S. schools were hit by ransomware, with an average ransom demand of $115,123. In 2020, the average ransom jumped to $312,493. The University of California, San Francisco paid upwards of $1 million to ransomware attackers in 2020.

The Phishing Problem

Phishing emails are another threat to higher education institutions. One study revealed that almost 90 percent of top institutions fail to protect students and faculty from such attacks, such as by investing in artificial intelligence that systematically detects and flags phishing attempts.

The education sector is highly vulnerable to cyberattacks, especially due to the lack of attention to cybersecurity investment.

Common Cybersecurity Risks in Education

In one frequently shared article, Brian Kelly of Educause says that data breaches “are among the greatest sources of risk for higher education institutions.” He also says that as the world keeps moving online, cybersecurity risks in education will continue to increase. Here are some of these risks.

Shift to Remote Learning

Since COVID-19, educational institutions have increasingly adopted remote learning technologies to maintain learning continuity during lockdowns. While portable devices, internet-based learning modules, and video conferencing apps can maintain the educational experience, they also create cybersecurity risks for schools, colleges, and universities.

Both teachers and students use personal devices such as laptops, tablets, and mobile phones to teach and learn. These systems store and use valuable data that’s attractive to hackers. Because the devices and the internet connections they use on are often insecure, they are vulnerable to exploitation, ransomware attacks, and data breaches.

User Carelessness or Lack of Awareness

People are another chief risk in education. A 2019 study found that 20 percent of college and university faculty are willing to sacrifice the security of their personal devices, but not their convenience or user experience. Such poor cybersecurity hygiene is one reason why there was an uptick in threats and data breach attacks in the education sector in that year.

Students also don’t consistently know how to manage or protect their data. They may use their school login credentials across social media and use weak passwords to access accounts.

These careless practices make it possible for hackers to steal credentials and gain unauthorized access to sensitive information in school databases or leverage ransomware attacks for cyber extortion.

Lack of Information Security Staff

The shortage of information security workers in higher education institutions results in a lack of cybersecurity investment, education, and communication. Current information security departments are understaffed and don’t have the bandwidth to communicate the consequences of using insecure devices and inadequately protecting valuable data.

Adoption of Cloud-based Platforms

The cloud and SaaS platforms are yet another significant risk in higher education information security. As more schools, colleges, and universities place more data in the cloud, they are more vulnerable to data theft or compromise. This risk increases when users access remotely — that is, from outside the institution’s network, from insecure devices and WiFi networks.

Moreover, institutions, students, and educators use multiple SaaS-based services and cloud-based platforms to share documents, teach, learn, and communicate. As a result, they send information across even more services and education networks. With the increasing prevalence of such “borderless networks,” the cyber threat surface expands.

Outdated Technology and Poor Cybersecurity Practices

Many schools still use legacy tech systems and outdated software applications that attackers can easily exploit. Some also neglect critical security practices such as:

• Routine network monitoring
• Deploying intrusion detection systems (IDS) and endpoint detection and response (EDR) systems
• Software patching
• Password discipline and strong password policies
• Multi-factor authentication, password managers, and single sign-on (SSO)
• Cloud vendor management
• Verification of vendor compliance with regulations such as the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection Regulation (GDPR)
• Privacy management tools and institutional audits of compliance with privacy regulations

The negligence of basic security standards results in significant risks for educational institutions.

Consequences of Not Managing Risks in Higher Education

Needless to say, a failure to manage cybersecurity risks leaves educational institutions vulnerable to all kinds of cyberattacks, including:

• Ransomware
• Phishing
• Hacking
• Spoofing

Such attacks can impose significant financial costs on the institution. The total cost could include the expense of security event remediation and investigation, ransom demands, refund demands, monetary penalties from education regulators, and productivity losses due to disruption.

Attacks can also prevent students, faculty, staff, and other stakeholders from accessing critical learning and financial systems. Educational and other operations that need to operate on a strict timeline can come to a crashing halt.

The breach of sensitive student or research data (especially if it ends up on the dark web) can erode trust in the institution, affecting its reputation. It can also seriously harm its regulatory compliance and invite punitive measures that can both affect its financial position and increase reputational risk.

Minimize Risks to Educational Institutions with ZenGRC

To protect themselves from cyber threats, educational institutions must minimize their risk by establishing a robust security policy, upgrading their cybersecurity ecosystem, implementing threat detection systems, and educating users on cybersecurity best practices.

ZenGRC is an enterprise risk management (ERM) platform that helps you manage the risk assessment and ongoing initiatives. It is a single source of truth for document storage, automated workflows, and insightful reporting. The comprehensive view of the information security ecosystem supports continual compliance evaluation and monitoring to mitigate risks.

With ZenGRC, schools and universities can confidently manage cybersecurity risk and compliance and strengthen their risk profile. Schedule a demo to learn about ZenGRC’s intuitive and easy-to-use platform.