Educational institutions are no strangers to data breaches. According to the U.S. Department of Education, “computer systems at colleges and universities have become favored targets because they hold many of the same records as banks but are much easier to access.”
By now, most educational institutions have invested in controls to improve data security and often have someone specifically tasked with security responsibilities, but sometimes only as a fraction of his or her overall duties. Are those improvements enough to balance out the large bull’s-eye painted on academic institutions? If the shortest path to compromising your identity is via a breach at your alma mater, what can you do to protect yourself and others?
A Juicy Target, With Numbers to Prove It
Why are educational institutions (.edus) targeted? While there might be academic value in interviewing attackers to determine their particular motives for targeting this sector, it’s likely due to a mix of factors, including the academic mindset, limited resources and an industry profile that speaks for itself, as evidenced by the number of successful malware-related attacks. Add to that an ongoing slowness to adapt to change and you have a perfect recipe for a large attack surface with a low ability to detect, respond and contain.
How many breaches did the academic sector experience recently? While there isn’t a single source tracking those figures — perhaps the Department of Education should begin tracking them for prospective students to use as a differentiator — the numbers are significant:
- The Breach Level Index reported more than 200 breaches in the U.S. educational sector since Jan. 1, 2015. That number includes institutions of higher education as well as K–12 school systems.
- The Identity Theft Resource Center reported 58 breaches for 2015, representing 7.4 percent of breach numbers for that year and a total of 760,000 records. It also has found 50 breaches so far in 2016, representing 11.9 percent of breaches and over 363,000 records.
- In its Internet Security Threat Report for 2014, Symantec put the number of personal identities exposed to attackers in the academic sector at 1.35 million. In its most recent 2016 report, Symantec listed the educational sector in third place for the total number of breaches behind health care and business.
- The Privacy Rights Clearinghouse has a searchable list of breaches by year and business sector. For 2016 in the education sector, the site reported 14 breaches, totaling over 250,000 records.
But not everyone agrees on the meaning of these numbers. The Educause Center for Analysis and Research released a paper titled “Data Breaches in Higher Education” in which it concluded that “as an industry, education has some of the lowest counts of records exposed per breach incident — the number of reported breaches in the education industry does not mean more records containing personally identifiable information are being compromised.” However, it also noted that 36 percent of these breaches are classified as hacking or malware, soundly outpacing inadvertent disclosures or lost devices.
As recently as July 2015, .edus were reminded of their duties to safeguard student data. A Dear Colleague Letter issued jointly by the chief operating officer and the under secretary of Federal Student Aid noted, “Institutions are reminded that under various federal and state laws and other authorities, including the HEA [Higher Education Act of 1965]; the Family Educational Rights and Privacy Act (FERPA); the Privacy Act of 1974, as amended; the Gramm–Leach–Bliley Act; state data breach and privacy laws; and potentially other laws, they may be responsible for losses, fines and penalties (including criminal penalties) caused by data breaches.”
Prized, but Not for Their Prestige
What makes educational organizations such appealing targets? “Higher education is particularly vulnerable because colleges’ and universities’ computer networks have historically been as open and inviting as their campus,” said Kennet Westby, president of Coalfire Systems Inc., to Morning Consult. But there are even more factors that may put these institutions in the spotlight.
Easy Access to SSNs
Educational institutions have things attackers want, all in one place: names, dates of birth, addresses and Social Security numbers (SSN). The good news is that it is no longer commonplace for academia to print SSNs on student ID cards, use them as part of a username or print them prominently on transcripts. However, these changes don’t mean SSNs are protected behind an impenetrable wall.
Organizational Rigidity
As other sectors are elevating the roles of CISOs well above that of being guardians of technology, academia lags behind: Only large institutions have a CISO, or even someone at a manager/director level charged with information security. Based on 2014 data, Educause reported that only 19 percent of U.S. institutions have a CISO.
Limited Resources
Some institutions have only allocated security responsibilities at a part-time level, usually splitting an IT employee’s time between spearheading a security program and traditional defense tasks such as system or network administration. Between keeping the lights on and balancing the institution’s risk profile, that individual is under enormous pressure. According to the same Educause report, the average security budget for U.S. institutions is at 2 percent of the IT budget.
Academic Mindset
Even when institutions have managed to find the right person for the job and marshaled enough resources to properly fund security-related investments, those in charge often find themselves butting heads with faculty members staunchly defending what they perceive as incursions into academic freedom. Unlike in the business or military sector, these voices can be loud and may stop a new security initiative dead in its tracks. The culture of openness and transparency can turn into an immovable rock if it opposes a change you are trying to implement.
How can academic institutions improve their cybersecurity posture? What can cybersecurity professionals do to help? After all, these institutions — which have a special place in our lives as launchpads for careers — are a potential one-stop shop for cybercriminals.
Making the Grade
Here are five ways in which cybersecurity professionals can assist their alma mater to improve its cybersecurity posture:
- Adopt a CIO/CISO from an academic institution. Offer to adopt a CIO/CISO as a way to give back to an organization that has helped you or so many others start their careers. This process allows you to provide support and expertise to a security leader.
- Sponsor a faculty member. Unlike the previous recommendation, this is a bottom-up approach ensuring that someone on the faculty can help the administration explain and justify necessary changes. Having someone on the inside can make a huge difference in how the next security project is received by faculty and staff.
- Discount or volunteer your services. If you’re part of an organization that provides auditing, risk assessments or penetration testing services, offer to provide a deep discount for an alma mater or even volunteer your services.
- Teach. Whether you sign up as a bona fide instructor of record or simply offer to speak in relevant classes to provide a real-world perspective to students, teach. By interacting with students, faculty, administration and their various information systems, you will get a sense as to how well the institution cares about its security affairs.
- If need be, send a clear warning. Should your concerns reach the point of alarm, write a strong email or letter directly to the CFO, president, board of regents or board of trustees. While it may be tempting to splash some data on a dump site or leak a story to a news outlet, reaching out to the administration to point out specific deficiencies will better serve all the students who entrusted their data in an academic institution.
Data Security Resources for Academia
To improve their cybersecurity posture, academic institutions can tap into resources specifically for them and also apply some of the same techniques that other sectors have adopted:
- Educause, a nonprofit association whose mission is “to advance higher education through the use of information technology,” recommended a few steps for academic institutions:
- Join the organization’s security discussion group.
- Read and implement the recommendations from the “Educause Information Security Guide: Effective Practices and Solutions for Higher Education.”
- Implement a risk assessment or cybersecurity gap analysis to assess the extent to which people and processes are adequately protecting the organization. This should supplement regular pen tests and vulnerability scans, which provide the institution with a picture of its technical security defenses.
- The U.S. Department of Education website also has resources for those in the academic world:
There are even opportunities for academic institutions to leverage partnerships with security vendors. For example, Stanford University teamed up with a service provider to maintain security for more than 65,000 endpoints and 500 servers. But there are more options for schools: The AIG report “Privacy and Data Security Risks for Institutions of Higher Education” provides advice for establishments looking to increase security. While the list of recommended security measures is extensive, the report noted that they are becoming increasingly necessary in today’s cyber environment.
“The process can be slow and frustrating, but success can mean the difference between a well-functioning institution focused on achieving its mission and one that is beset with expensive, distracting and potentially debilitating data security issues,” the paper stated.
Regardless of the route educational institutions take, they need to know that security is a priority. Taking proper cybersecurity measures and forming partnerships with industry experts can help these establishments protect the personal information of students, faculty, staff and alumni without inhibiting the open communication they want.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato