Although not often given much media attention, universities and colleges are increasingly becoming top targets for hackers and cyber-attacks. Just a few months ago, University College London was hit by a ransomware attack that encrypted files and brought down both shared and local network drives as well as the school’s student management system. Other institutions that have experienced attacks in recent years include Pennsylvania State University, University of Maryland and the University of Delaware—all incidents where private information of students, faculty, staff and personnel information was accessed and stolen through network vulnerabilities.
With the amount of data and personally identifiable information (PII) that higher education institutions host on their networks, it’s no mystery why they are so appealing to hackers. University and college networks host social security numbers, medical records, intellectual property, research data and financial information for faculty, staff and students. Further, because higher educational institutions operate within an open access culture, many organizations keep their networks open and accept anyone who decides to connect, and through whichever devices they choose. This practice leaves networks vulnerable to effects from unauthorized access, unsafe internet usage and malware.
Higher educational organizations also tend to operate with decentralized IT and information security practices with individual schools or departments spearheading their own IT efforts. Additionally, they often lack funding to implement and maintain proper cyber controls and as a result have difficulty in preparing for, identifying and stopping cyber threats and attacks. Plus, higher educational organizations are often unaware of emerging phishing campaigns, malware and other cyber threats due to insufficient incident collection and sharing. But even with these challenges, universities and colleges can take certain actions to improve their cybersecurity position and in doing so ensure they are compliant with the Family Educational Rights and Privacy Act—a federal law that protects student PII.
Organizations should be proactive by creating and implementing an overarching cybersecurity program that details policies and procedures for all components of the school. This program should also detail the actions to be taken in the event of a cyber-attack so that when one occurs all involved parties know exactly what to do. As part of the program’s implementation process and as an ongoing initiative, higher educational institutions should instruct both staff and students on cybersecurity best practices and possible risks. Universities and colleges should also run internal and external penetration testing to detect vulnerabilities in their networks. Most importantly, higher educational institutions should decide on the personnel who are going to manage all of the requirements, procedures and standards of their cybersecurity programs.
As managing these efforts can be burdensome on internal resources, many organizations may benefit from enlisting an MSSP to work as an extension of their cybersecurity teams. Dunbar Cybersecurity offers a full suite of digital security solutions, each of which is customizable to fit each unique educational institution. To request a free assessment for your university, college or educational organization, complete the form here today.