One of the first significant data breaches to impact a college campus hit Ohio State University in 2010, involving the records of more than 700,000 people affiliated with the school. While there has never been evidence that documents were stolen, the event was a wake-up call for Ohio State and other major universities, said Dave Kieffer, an information technology leader at Ohio State at the time of the breach.
The threat then was novel, but colleges have become more proactive in addressing such risks over the past decade. Cybercriminals target colleges for a few reasons, said Kieffer, a research vice president with the Tambellini Group, an IT consulting firm. For one, the diversity of campus functions makes building a comprehensive security program challenging. Institutions also house many digital identities, making them a treasure trove for hackers. On campuses conducting research, intellectual property has also increasingly been targeted.
When the pandemic forced most colleges to move the bulk of classes and activities online last spring, it raised the level of cybersecurity risk created by these kinds of vulnerabilities. Although students and staff were distributed globally, cybersecurity systems must be maintained. Aging IT infrastructure, common across campus, complicates the situation by making it harder to store or transmit data securely, said Jesse Beauman, the assistant vice chancellor for enterprise infrastructure at the University of North Carolina at Charlotte.
Pandemic-era security risks
Security threats could appear minor. At Mt. Hood Community College in Oregon, faculty and staff primarily use devices the college provides. Still, as most employees began to work from home, they used more personal laptops, tablets, and phones to do their jobs.
This became one of Mt. Hood’s “biggest pain points” during the transition to remote operations, especially when it came to ensuring employees could access the college’s internal systems through virtual private network (VPN) connections, Blake Brown, Mt. Hood’s infrastructure manager, and Chris Neal, a cybersecurity specialist at the college, said in an email.
Two of the most significant risks to colleges’ networks are unsecured WiFi connections and weak password management, leading to stolen login credentials.
Requiring VPN use took care of the need for a secure connection, but instituting safer login access was more challenging. The college launched a new multi-factor authentication solution, unique to many Mt. Hood employees. Multi-factor authentication requires people to access a system and provide two or more pieces of information, such as a password and a code received through a text message (SMS). Its novelty meant Brown and Neal also had to do a fair amount of training and communicate about the change before it launched.
Schools are also vulnerable by using unpatched and unsupported software and operating systems, such as Windows XP or Windows 7. This behavior has attracted a type of cyberattack called ransomware, in which attackers encrypt their target’s files and demand payment to restore access. According to one recent report, ransomware attacks against higher education institutions doubled between 2019 and 2020, costing them $447,000 on average. The report explains that it is the No. 1 cyber threat to universities, ahead of data breaches and data theft by nation-states.
“Most ransomware attacks start with phishing, which targets users on any device and within any messaging application (email, SMS, and social media) that allows cybercriminals to send malicious links to unsuspecting users,” said Hank Schless, senior manager for security solutions at cybersecurity firm Lookout, in an email. They are clicking on the link or opening the attachment in a phishing email results in a malware download or stolen login credentials.
Data breaches have also focused on colleges in recent years. The technologies used during the pandemic for remote teaching, learning, and managing daily operations have opened up new doors for cybercriminals, making schools even more vulnerable to their attacks, said Kashif Hafeez, senior director at security firm WhiteHat. Remote learning and working provide more chances to share sensitive information over unsecured networks or share sensitive data with unauthorized people. Data breaches aren’t just caused by malicious outsiders and inadvertently by insiders who, for example, send a spreadsheet with student records in an unencrypted email, violating data privacy rules.
