Colleges and universities are scrambling to prevent higher education cyber attacks as online education becomes a target for criminals. Disruptions to higher education institutions due to cyber crimes, ransomware, and hacking are becoming more common as colleges and universities increasingly see their risk management programs being challenged by hackers. Ransomware attacks against colleges and universities have doubled over the past year. These situations have moved conversations around cybersecurity from the IT realm into discussions by senior cabinet administrators, higher education presidents, and boards of trustees.
However, the numbers and magnitude of the SolarWinds, Microsoft Exchange vulnerability and other cyber attacks,like Stanford’s ransomware attach, have opened people’s eyes (and the cybersecurity conversation) to other aspects of the campus community. These conversations about third-party risk are now including procurement officers, business officers, chief financial officers, provosts, and presidents. This evolution of cybersecurity discussions is leading to decisions about whether to bring partners and solution providers into the college environment.
Additionally, because of COVID-19, many institutions have a large remote workforce who are using technologies such as Zoom. However, this rush to utilize new technologies often meant that faculty, staff, and students did not understand how to use them securely. Increasingly, “Zoom bombings” occurred that disrupted meetings and classes.
These situations have increased the visibility of chief information security officers (CISO) within their institutions. These individuals help higher education institutions be proactive in creating technology solutions and offer guidance in avoiding issues such as “Zoom bombings,” which are “teachable” moments. Approximately 42% of higher education institutions have a CISO. With the increased awareness in relation to cyber attacks on higher education, that number should grow.
To make this more relevant (and prevent more teachable moments), CISOs and other technology staff need to avoid “geek speak.” Instead, they need to clarify terms for higher education leaders and boards to make the information resonate and be understandable.
Chief information security officers are trying to prevent higher education cyber attacks by moving from a culture of “no” to one of “know.” This involves teaching people how to safely work with technology, which has become even more important as institutions have embraced technology for online teaching and working from home during the pandemic.
For example, faculty, staff, and students have learned to use multi-factor authorization (MFA), a system that involves receiving a notification beyond a user identification and password to sign on to the system. MFA provides another layer of security that is important because of the remote nature of work.
Previously, institutional leaders assumed that everyone—administrators, faculty, staff, and students—would be on campus and connected to the campus network, which provided a layer of security. Now with many people working remotely, MFA is needed to provide additional protection to the user and the institution.
End-point protection and response, “an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities,” is another way that CISOs are keeping ahead of the cyber risk. EDR offers additional cyber-hygiene to remote workers who are using laptops, tablets, and phones at home or in gathering spots, such as coffee shops.
Many institutions are turning to the smartphone as a way for individuals to work and attend school, and this requires the institution to authenticate the user, the device, and the location to paint a full picture of individuals who are accessing the institution’s information. While a smartphone is not a risk in and of itself, it is easily lost or stolen. Therefore, users really need to use a PIN or biometric scan so that individuals can protect their institutional data or personal information.
Ransomware attacks — which have implications for institutional reputation, productivity, and ability to operate – are costing institutions an average of $450,000 per event. While these threats have been around for a while, tactics are changing and growing as ways to penetrate institution’s IT infrastructures evolve.
Ransomware has evolved and the number of incidents increased since the advent and greater “acceptance” of bitcoin and cryptocurrency. Additionally, the adoption of cyber-liability insurance may be a factor in the increase in ransomware attacks since these policies send a signal that the institution is willing to pay the ransom.
These types of activities tend to happen when institutions have not updated their IT infrastructure (servers and software) in a timely manner. Some attackers are opportunistic – they take advantage of institutions who haven’t updated their infrastructure so as to take advantage of vulnerabilities – so institutions need to take a proactive approach by incorporating cyber-hygiene through patching or updating systems and increasing awareness through user training to prevent these types of attacks before they occur. Institutions also need to be prepared to respond when prevention fails.
This type of risk planning is important from a communications and crisis management perspective. CISOs are being invited into the board room and cabinet meetings to answer these questions. These individuals are being integrated into the enterprise risk focus and the crisis management team. Additionally, ransomware attacks are being incorporated into the scenarios being discussed as part of enterprise risk management planning.
How to prevent higher education cyber attacks. As part of this planning process, leaders need to consider other potential cybersecurity issues that can occur as part of their research. While ransomware is in the news, other worrisome issues such as research security, foreign influence from larger nation-state actors, and evolving threats that have not yet entered the higher education ecosystem, need to be considered.
For example, one of the proactive shifts higher education institutions need to adopt is related to research security. The cybersecurity maturity model certification (CMMC) is the Department of Defense’s standard for any institution that is doing research on behalf of the DoD. While this standard is required among defense industry contractors, it also applies to higher education research institutions that are doing this type of research. This security protocol also includes protecting controlled but unclassified information (CUI).
Many institutions are also doing research for the National Institutes of Health (NIH) and other federal organizations and should expect more cyber standards to emerge to protect this research. While these standards could relate to hacking, they also could apply to faculty who are placed in a position to provide this information to foreign agents. Thus, this risk planning effort requires a holistic approach to securing research and intellectual property.
Third-party risk – those vendors who have access to the institution’s infrastructure – is also coming under scrutiny (as it should). For example, the vast majority of institutions use a student information system from a vendor, e.g., Salesforce, Oracle, Jenzabar, Ellucian, and those applications have detailed personal information on 1000s of students.
Now think of the SolarWinds hack – a nation-state hacked the company that updated 1000s of companies’ computer systems. If that were to happen to your SIS vendor, hackers could have access to literally millions of student records. This is why institutions are beginning to take an inventory of third parties that the institution does business with through contracting, and ensuring that they have the proper cyber-hygiene procedures in place.
Leaders need to know what data is being provided to these third parties and contractually how that third party will use that information. Supply chains also can create risks as well.
Institutions must raise awareness about cybersecurity through conversations with employees and stakeholders, and find ways to collaborate to connect the dots. Providing education on cyber hygiene is especially important, including learning about current attacks and threats that other higher education institutions are facing.
CARE Act funds can be used to update technology to improve cyber hygiene. While these updates are important, leaders also need to ensure that higher education stakeholders understand their role in cyber-hygiene, such as not responding to phishing emails.
Password managers are helpful and can be utilized through browsers and some companies. In some cases, the password manager is filling in passwords without the user knowing what it is, which removes the human risk out of the equation.
Dr. Drumm McNaughton provides strategy and risk management consulting for higher ed institutions.