Every organization faces cybersecurity risks. Some involve critical threats to the safety and wellbeing of people. Others place priority on intellectual property, systems and privacy. Organizations typically plan their responses according to the sector in which they operate and their own legal and regulatory environment. Industries like defense, manufacturing, financial services, retail, and healthcare, all can draw from established cybersecurity frameworks and best practices.
So what happens when an organization’s operations span each of these sectors and beyond? Institutions of higher education face this challenge. The data they collect and store serves many purposes. From research and financial aid data to residential housing and healthcare records, higher education data is typically decentralized, varied and affects large numbers of people and organizations. These realities pose a rare set of challenges that must be addressed as part of an overall cybersecurity management program.
Data variety: Any business must protect employees, customers and internal data. This is true for higher education as well, but institutions also house, feed and protect people. They administer financial aid, accept donations, conduct research involving people and animals and create inventions and intellectual property (IP). This results in a breadth of data types rarely seen in other kinds of organizations.
Decentralization: In corporate environments, a select few manage the majority of data. Higher education operates in a largely decentralized manner. Many people with different skill sets and needs collect, process and store the data, which heightens the challenge of protecting data.
Varied rules and regulations: The wide scope of work being carried out in educational institutions is subject to many different standards, regulations and legal requirements that make it difficult to follow a single regulatory framework.
Higher education sits at a nexus. These institutions deal with innumerable compliance requirements across disciplines. While the Family Educational Rights and Privacy Act (FERPA) is an obvious exception, most cyber and privacy laws are not designed to address higher education institutions specifically. Educational institutions are nevertheless impacted. For example, the Health Information Portability and Accountability Act (HIPAA) was designed for hospitals and healthcare providers, but any campus health center or research institute may also be subject to its privacy and security requirements. Similarly, the Gramm–Leach–Bliley (GLBA) Act was meant to regulate financial institutions, but on-campus departments collecting financial information or taking payments are legally bound to restrictions related to financial privacy and safeguards.
Funding: Most organizations struggle to secure large allocations for preventative measures like cybersecurity management. For higher education, the challenge is severely magnified. In many cases, funds are influenced by lawmakers, trustees and donors. Sometimes, regulations hinder what can be done.
Educational institutions also face more difficult decisions related to funding allocations than private sector entities. It is not a simple matter of diverting funds from a marketing campaign or even shareholder dividends. For a university, funding choices often come down to decisions about specific investments in the health and wellbeing of students. Choosing between expenditures like capital improvements or scholarships and cybersecurity initiatives will never be an easy decision to make.
The reality is, if a data protection regulation exists, it is likely to apply to universities. Educational institutions face a distinctive set of challenges. Given the breadth of regulatory issues combined with unique funding concerns and decentralized needs, a university must make a concerted effort to build a sustainable cybersecurity program.
A United States Department of Homeland Security assessment on cybersecurity risks in academia does not mince words: “We have high confidence in our primary judgment that U.S. university and college networks face a persistent threat as targets of opportunity for unwitting hosting of malicious cyber activity and cybercrime.”
In the face of considerable cyber risk, institutions need to consider four main threat actors:
Educational institutions face many of the same vulnerabilities as other organizations, but they are often intensified. Following are a few of the most common threat vectors:
Phishing: The average institution must contend with phishing attacks on hundreds or thousands of employees. A successful phishing attack might hit just one percent of them. Universities have tens of thousands of students, faculty, staff and alumni. More potential victims exist due to the sheer numbers and the dispersal of data throughout an institution. Phishing also presents an additional threat for universities given their historical openness for the dissemination of knowledge. For example, names, titles and contact information for university personnel are often included in publicly available online directories and organizational charts. Imagine then, how easy it would be for an attacker to contact an accounting clerk pretending to be the clerk’s supervisor that is requesting an urgent wire transfer.
Software vulnerabilities: All software has vulnerabilities. That’s why patches are constantly being issued by vendors. Universities face a special challenge due to the sheer volume of systems and vendors that they have work with and support. They’ll never have one software vendor for all of the software they require. Student information systems, web applications and payment systems are just a few of the software systems that bad actors seek to exploit.
Access control: Educational institutions typically have a large number of people with access to different systems. Different departments, contracts and mandates all have different cybersecurity requirements.
Institutions need to plan for a variety of specific requirements around access, password control, multi- factor authentication and remote access.
Viruses, malware, ransomware: These are any attack designed to cause harm to a system or steal data.
Typically, these are delivered through phishing, but not always. A bad actor could gain access to one system and then use it to send malware to many other people.
The internet of things: Any cyber-to-physical connected device falls into this category, including, for example: watches and fitness trackers, door-lock security systems, security cameras, HVAC, electrical, lights and other connected infrastructure. Systems like these don’t typically have the same cyber controls built into their software as an institution’s other technology systems. In other words, leaders don’t always realize these systems can be exploited or used as attack vectors.
This e-book is designed to help institutions understand and implement appropriate steps for cybersecurity planning. The recommended framework is applicable to institutions in all industries. However, given their decentralized structures and breadth of at-risk data, institutions of higher education face special challenges.
A carefully planned cybersecurity management program can provide the necessary framework for continuous monitoring and response in higher education. Institutions of higher education typically seek to support the creation and sharing of knowledge for the betterment of society as well as safeguard and strengthen the overall health and wellbeing of large groups of people. In the context of such a critical mission, the importance of a well-designed program that identifies, contains and manages threats to information, finances and intellectual property cannot be overstated.
For more information on this topic, or to learn how Baker Tilly higher education specialists can help, contact our team.