Why is higher education more susceptible to cyber-attacks?
Universities, historically, have been particularly prone to cyber-attacks. During a pandemic, with an increased reliance on remote learning, this issue has only been exacerbated. In fact, education and research were the top targets of all cyber-attacks in 2021, with the amount of attacks seeing a 75% increase from 2020. As universities have built the infrastructure for both students to learn from home and staff to work from home, the amount of data and online activity has increased significantly.
Not only has the online presence of universities increased since the pandemic, but so has the incentives of cyber attackers. When online platforms or systems become absolutely necessary for the school to function, they are much more willing to comply when a ransomware attack has taken hold of those systems. Higher education had the highest rate of ransomware attacks among all industries surveyed in a report by BitSight.
Not only this, but higher education is also just generally more vulnerable than other industries. Academia prides itself on the openness and availability of its material, and this transparency has allowed for the computer networks of universities to be just as open and available as the material. With more access points into the university database, such as online libraries, classrooms, messaging systems and sign-on systems, cyber attackers will naturally have more places to break through the school’s defenses.
Also, universities have generally been online longer than other industries – they were some of the first places with access to the internet, and subsequently, have outdated systems and IT structures. Many institutions of higher learning still rely on legacy systems that are not equipped to handle the cutting-edge methods of cyber attackers today. Universities also notoriously fail to back up information, and the multiple separate servers and files that may make up a single department makes it difficult for universities to implement universal IT defenses. The multi-departmental build of universities increases vulnerability, as a decentralized approach to cyber-security in an institution will generally lead to a weak point somewhere.
How are hackers exploiting the higher education industry?
The most pressing method that universities must combat is phishing emails and websites. Studies show that 30% of users in the higher education industry have clicked on phishing scams, which is double the rate of the general population. Phishing is specifically harmful to universities because of the high amount of online communication within both the staff and student bodies. Not only are phishing emails a threat, but so are phishing websites. With all of the different sites and portals that students must pass through to find classes, activities, rooming assignments, etc., and all the sites that staff must use for lessons and communication, the possibilities for a fraudulent site are high.
Although the next method is not specific to universities, similar to Phishing, it is particularly harmful to universities because of their uniquely susceptible databases. SQL injections, which hijack the code behind a database to gain access to protected information, are the most persistent issue for websites in general. As previously mentioned, universities generally pride themselves on the openness of their material, and this allows for multiple entry points into the database. Any field on a website in which information is input is a vulnerability for an SQL injection, and universities generally have large databases with multiple of points of entry.
What are the harmful effects of these cyber-attacks?
Besides the constant threat of stolen information and data leaks, the issue that universities are most likely to be concerned about is the amount of money that cyber-attacks cost. As previously mentioned, higher education had the highest rate of ransomware attacks among all industries, and as the name implies, ransomware generally involves a large payout. On average, the payout from a university to a ransomware attacker is $112,000. However, fixing the damage and securing the data that the ransomware attackers stole costs significantly more. On average, this cost comes out to $2.7 million.
Besides the monetary cost of attacks on universities, the other threat they face is the fact that important information can be stolen or leaked. The amount of credit card numbers, social security numbers, names, addresses, and more personal information present in the databases of universities is incredibly large. Attackers may also be after intellectual information or research, and losing expensive research to the public can be incredibly costly for the university in both reputation and money.
If students do have information leaked, universities can also be subject to lawsuits, which can amount to more than any of the other costs they face. Lawsuits are also harmful to the reputation and future enrollment of the university, which is why they tend to keep leaks private and only disclose them if the law requires them to do so.
What can higher education do to prevent or mitigate the effects of these attacks?
The first thing that universities can do to prevent attacks is to perform an information assessment. Most importantly, universities should assess who has access to what data, and how that data is protected. As previously mentioned, universities typically have an overwhelmingly large database and multiple entry points. Performing an inventory on what data is being held, who has access to it, and how it is protected is the first step towards preventing a future attack.
Universities can also apply email filters to prevent phishing, build awareness among staff and students about cyber security, and proactively prepare defenses and remediation methods. What matters most in the event of an attack is that the university was properly prepared to respond to it, and that personal information of students and staff is protected above everything else.
