When we think about cyberthreats, many sectors readily come to mind: infrastructure, finance, healthcare, and government, to name a few. But how many people naturally think of higher education when the subject of cybersecurity comes up? While it’s difficult to keep track of the unique cyberthreats faced by different industries, it has become increasingly clear that higher education is particularly vulnerable to a range of potentially crippling cyberattacks.
From large catalogs of sensitive student information to research data, cybercriminals have plenty of tempting targets in institutions of higher education. This is why it should come as no surprise that cyberattacks on these institutions have been on the rise. What might be even more unsettling than the increasing attacks on colleges, universities, and research centers is the fact that higher education lags behind other sectors when it comes to cyber-preparedness. Chief information security officers and IT professionals at our universities can’t afford to let this status quo persist.
As students return to classrooms, it’s important to examine why these vulnerabilities exist—as well as why the sector isn’t addressing them proactively enough. As with any company or organization, the consequences of a successful data breach can be devastating for universities: huge ransom payments, stolen student information, and significant reputational harm. University CISOs have a responsibility to implement a robust cybersecurity awareness platform, which means garnering stakeholder support and improving cyber awareness across faculty, administration, and students.
Cybercrime is a growing problem for higher education
The cybercrime threat to the education sector is mounting, along with its financial toll. According to the 2022 Verizon Data Breach Investigations report, “Educational services follows an eerily similar trend to the majority of the other industries; it is experiencing a dramatic increase in Ransomware attacks.” The researchers found that over 30% of breaches in the sector are attributable to ransomware.
Education and research institutions were targeted by an average of 1,065 cyberattacks per week last year—a 75% increase from 2020. In fact, cyberattacks on higher education have been soaring for years—the Federal Student Aid Post-Secondary Institution Cyber Team found that “actual and potential cyber incidents” rose by 2,880% between 2015 and 2019. Higher education institutions shouldn’t expect cyberattacks to become less frequent or destructive in the coming years. If anything, CISOs and administrators have every reason to believe they will face more. The time to prepare is now.
These are the reasons university CISOs have to take the lead in preparing their institutions for a rapidly evolving cyberthreat landscape. This is a process that has to encompass everyone, from professors and librarians to record-keepers and students. While there are many digital tools available to university CISOs—such as multi-factor authentication on all campus devices and digital learning platforms—their most valuable asset is robust cybersecurity awareness at every level.
Higher education institutions are behind on cybersecurity
Despite the emerging awareness of the cyberthreats colleges and universities face, the higher education sector is struggling to keep up. The U.S. Department of Homeland Security examined the state of cybersecurity by industry and found that the education category ranked at the bottom. This problem isn’t confined to the United States, either—according to a July 2022 report published by the U.K. government, 92% of higher education institutions in that country had identified a breach or an attack in the preceding year. This was much higher than the rate for all businesses: 39%.
A recent article in HigherEd Dive by KPMG’s David Gagnon, Tony Hubbard, and Kathy Cruz noted that “higher education has unique vulnerabilities that make it a prime target for cyberattacks.” These vulnerabilities include new attack vectors as a result of the recent transition to online learning, the management of large quantities of “valuable research intelligence and proprietary student data,” the fact that “higher education institutions typically operate in more open information technology environments,” and a lack of investment in cybersecurity.
The combination of increasing attacks on the higher education sector, the lack of preparedness, and the sector’s susceptibility to cybercrime has created an extremely dangerous situation for colleges, universities, and affiliated institutions.
Building cyber-awareness into higher education
Now is the time for CISOs to advocate the development of comprehensive cybersecurity platforms at their institutions. There are many measures they can implement, such as access protocols like multi-factor authentication, the establishment of rigorous data management policies, and the creation of incident response teams and mechanisms.
But the most effective cybersecurity resource higher education institutions have at their disposal, aptly enough, is education. This year’s Verizon DBIR reports that 82% of breaches involved a human element—a powerful reminder that engaging security awareness content is the best way to protect any organization from a wide range of cyberthreats.
University CISOs and IT professionals need to make the case that digital literacy isn’t just a vital skill for administrators—cybersecurity education is also essential for faculty and students. By creating a culture of cybersecurity at every level of the institution, CISOs will show all key stakeholders—including alumni, donors, and government agencies—that they take the protection of student records, research data, and other types of sensitive information seriously. With this goal in mind, here are a few guidelines for building a culture of cybersecurity at your institution:
- Keep administrators, faculty, and students engaged with relevant content. By demonstrating how human behavior (downloading malware, using school-issued devices on unsecured public WiFi, and so on) can lead to breaches, cybersecurity pros will show all relevant stakeholders how they can protect their institutions.
- Respect your learners’ time. Your cyber-awareness content should be developed and deployed with your audience in mind. From students who may be attending school and working simultaneously to professors with full course loads and research projects to complete, the people you’re trying to reach are busy adults with limited bandwidth. This is why your educational content should be concise, engaging, and timely.
- Objectively evaluate your cybersecurity awareness program. Just as students have to take tests and submit term papers, university CISOs and IT professionals are responsible for proving that their training content works. This means quizzing learners, conducting phishing tests, and rigorously monitoring cybersecurity performance at every level of the institution.
The cyberthreats faced by the higher education sector are only going to become more pressing in the coming years. It’s fitting that a core part of the solution to this growing problem is education, and CISOs should take the lead in demonstrating this fact to their colleagues.
Shaun McAlmont is the CEO of NINJIO, Cybersecurity Awareness Training.