Cyber Crooks Target Colleges and Universities as Students Return: Why Higher Education Is Vulnerable and How Leaders Should Respond

Tens of thousands of students are streaming back to college and university campuses. The start of another academic year always ushers in a new set of challenges for higher education leaders, but one with potential for outsized harm is the increasing interest of cyber criminals to target academic institutions.

Cyber crooks jumped into warp speed during the pandemic, seeking to capitalize on weakened security from remote work and learning. Institutions are at growing risk for financial, reputational and operational harm because of long-standing cyber vulnerabilities across higher ed and the failure of many university leaders to prioritize cyber preparation and defense.

What makes higher ed a prime target

The Security Scorecard gave education the lowest security rating out of 17 economic industry sectors. And since campuses hold the ingredients loved most by the bad guys, it’s no surprise higher ed cyber incidents are on the rise.

Personal Information

Colleges and universities collect and store a treasure trove of personal information on students, faculty and staff— names, addresses, credit card and banking information and Social Security numbers. Earlier this year, cyber criminals attacked the University of California, Stanford University and others in a textbook case of data theft with plans either to sell to the highest bidder or hold it as ransom in exchange for payment.

Intellectual Property

Last fall, an Iranian hacker group restarted a campaign attacking more than 140 U.S. universities, stealing intellectual property over time estimated at more than $3 billion. According to U.S. officials, the group worked alongside Iran’s Islamic Revolutionary Guard. Espionage against colleges and universities by state-sponsored actors  often seek military secrets and high-value research with potential to compromise U.S. national security.

Virtual learning

Perhaps the most significant vulnerability for higher education is a much larger threat surface today compared to life before the pandemic moved the bulk of learning and instruction online. Keeping devices and networks secure as students and faculty interacted virtually was a tremendous challenge few anticipated. That’s why cyber attackers pounced, often using Remote Desktop Protocol as an entry point without the users’ knowledge.

Uneven training, decentralized computer networks

Good digital hygiene is a must as a first line of protection. Yet, on a college campus, it can be difficult if not impossible to adequately train and enforce standard security protocols.

Further, university computer networks are, by their nature, “more open” compared to business and industry. Since students, faculty and staff regularly access those networks, it opens the floodgates to multiple avenues of exposure. University networks are also typically dispersed IT systems, creating more challenges for aligning and integrating defense mechanisms.

Prioritizing & Planning

Unfortunately, no panacea exists to fully close college and university cyber vulnerabilities. So, while institutions are wise to pursue multiple levels of layered defenses, including robust security training and thorough vetting of third-party vendors, two foundational steps are essential.

Elevate Cybersecurity to the Highest Levels

The single best step for any academic institution is making the protection of sensitive information a priority at the highest levels.

While corporate C-suites are turning in this direction, albeit slowly, colleges and universities are moving even slower. For too long, presidents, chancellors, board members and regents have viewed cyber protection as “only” a technology problem rather than a leadership mandate.

IT directors play an important role, but they don’t set institutional priorities or control how resources, financial and otherwise, are directed. It is incumbent upon university leaders to approach cyber protection as a strategic priority.

Prepare, Prepare, Prepare

Long-term consequences of a breach or attack can largely hinge on how a college or university responds. Too often, they are unprepared, even with the basics.

Like cyber protection, advance preparation takes on multiple layers, but here are the keys:

• Audit Sensitive Information: Knowing what you have, where and how it is held, and how it can be compromised goes a long way in helping colleges and universities respond quickly and strategically.
• Scenario Planning: Cyber criminals are savvy and work to stay one step ahead, especially when a new vulnerability emerges. Imagining and strategizing over each new scenario is critical.
• Cyber communications playbook: With no playbook, colleges and universities start with nothing. A good playbook contains key messages, holding statements, contact lists, internal communications procedures and more.
• Spokesperson: Identify and train a spokesperson now. It’s too late when a breach or attack occurs.

Students are on their way to campuses. So are the cyber and ransomware attacks. Strategic actions and decision-making now will put colleges and universities in better position to safeguard their reputation, finances and operations.

For information about APCO’s cyber protection and reputation practice, visit here.