Did you know Universities and Colleges have become the hacker's paradise?

Colleges and Universities are the new Hacker's Paradise!

If you have attended or you are attending a College or University you know that they are swarming with personal information. This information is not just about the students, but also their friends, family and professors.  These higher institutions have become a  “Hackers’ Paradise” by providing hackers with a multitude of targets and information sets to steal. Some new studies show that the education category is presently the 3^rd most targeted area for hackers, behind the healthcare and finance/banking fields.  

Why are universities becoming such an appealing target for hackers? 

• There are currently about 5,300 colleges and universities in the United States.  The number of students projected to be attending those American schools this fall is 19.9 million.  Large colleges and universities can have tens of thousands of students enrolled at any given time. With one breach, hackers can access the information of a substantial number of people.  
• Colleges and universities store many types of private and sensitive information. This information includes medical records, financial documents, and transcripts. Educational software companies in the U.S. also collect and store vital information from students. According to one American college and career software provider, Hobsons Inc., their web-based software, “Naviance”, serves as a platform that helps districts and schools facilitate the submission of college applications, transcripts, school forms, test scores, and student history to higher education institutions.  Students submitted 6.4 million college applications and 38 million documents in 2017-18 through “Naviance”. Thanks to this new technology there are now more student records being stored online than ever before.
• Student and faculty information is not the only sensitive information hackers may target.  Information about Students' parents and family members can also be accessed.  During the financial aid application process, students provide social security numbers, banking information, and in some cases, medical history for themselves and family members.  The U.S. Department of Education requires colleges to verify financial and other information on the FAFSA (Free Application for Federal Student Aid) to determine the types and amounts of federal, state, and institutional aid students receive. The FAFSA application is linked online to student's and parent's IRS Federal Income Tax information; this is an appealing target for thieves and hackers.
• Most colleges and universities have on-campus clinics or even hospitals for student emergencies and care.  Universities that teach medical students to use on-site clinics and hospitals as teaching resources for medical training. The medical facility must store personal data pertaining to the specific patient being treated.  There are currently 141 accredited MD-granting institutions and 34 accredited DO-granting institutions in the United States. This information is vulnerable to serious loss.
• Universities are often recipients of major grants and research stipends, they may even hold their own patents and have generated advances in many fields ranging from engineering to pharmaceuticals. If a breach occurs, hackers could gain access to privately controlled and owned research and information and use it for personal monetary gain at the cost of the institution.

One of the major challenges universities face when it comes to dealing with these threats is a large number of students and staff on campus. Because many of these students and staff come and go, it is difficult to track a breach when it occurs. 

Universities should incorporate the following procedures to reduce the risk of losing sensitive information

1. Install proper cyber and physical security protocols- make sure all firewall, antivirus, and any other security measures are in place and up to date.
2. Conduct regular security risk assessments to evaluate their security posture, and address findings and recommendations on an ongoing basis.
3. Conduct regular penetration testing to evaluate the strength of existing security and to determine potential exposures.
4. Secure important data and research on encrypted drives.
5. If using cloud-based storage services to store proprietary information, ensure that they are encrypted and compliant with necessary laws, e.g. cloud-based storage services offering storage solutions to medical entities often offer a HIPAA-compliant version.
6. Maintain strong compliance departments to ensure that FERPA laws and regulations are being adhered to and sustained.
7. Ensure that HIPAA compliance staff is also in place to manage and protect patient consented information.
8. Educate students, staff, and faculty about Cybersecurity. It is crucial to educate as many people on campus as possible and make them aware of cybersecurity threats, so they prepare themselves and their materials. This can add an extra layer of protection between hackers and the academic institution they are targeting.

The combination of student information, financial data, medical records, and proprietary files make universities and colleges an optimal and tempting target for hackers. Since universities and colleges already face many challenges today, such as balancing multi-million dollar budgets, attracting and recruiting students, competing for academic standing, etc., they should not take the threat of cyber attacks lightly. Even a small breach of personal information can result in a serious financial penalty, in addition to a damaged reputation   It is vital that they take measures to prevent, educate, and acknowledge this threat. 

This blog has been republished based on our previous posting Cybersecurity on campus: Centers of Higher Education being targeted for Information Breaches