Cybersecurity Attacks

Last year was a banner year for higher education — and not in a good way. 2016 marked a significant increase in the frequency and severity of cyberattacks on colleges and universities.

Cybersecurity firms and leading analysts had several consistent warnings for 2017. Denial-of-service attacks will grow in number and severity, ransomware will continue to grow, “fakes” in general are escalating rapidly, state-sponsored attacks will escalate, internal threats will increase and by 2020 a third of successful attacks on enterprises will be on their shadow IT resources. As bad as 2016 was, 2017 is already proving to be far worse.

Colleges and universities are excellent targets for cyberattacks. Though not in the same class as financial institutions, they typically have fairly open networks with relatively low levels of security, do less filtering of network and email content than other organizations and still have sizable budgets with the largest proportion usually relating to salaries. This is where “spear phishing” enters the picture.

Spear Phishing

“Spear phishing” is an example of a category of attacks called social engineering. This area has been called “hacking the head” because these cyberattacks skirt perimeter defenses such as firewalls and go directly to users. Spear phishing uses the most creative and convincing means to trick users into making a mistake, and hence compromise themselves. In many cases, this involves volunteering their username and password to the malicious agents who can then use the credentials to access any number of systems, including HR and payroll systems. If hackers can get a payroll direct deposit rerouted to one of their own accounts, the haul can be impressive. Note that this is essentially paid for by student tuition dollars. Despicable, yes. And too often successful.

The timing of a spear phishing attack is equally stunning. As reported from research studies, the median time for the first user of a phishing campaign to open the illegitimate email is 1 minute 40 seconds, with the average time for all recipients being 3 minutes 45 seconds to click on the malicious attachment. In 93 percent of cases, it took attackers minutes or less to compromise systems. Data exfiltration occurred within minutes in 28 percent of cases. Essentially, the damage is so quick that intervention is nearly impossible. Couple this with the fact that research also shows approximately twice as many people click malicious links as admit they do. For whatever reason, lack of awareness, embarrassment, denial or other, many people effectively default into their demise.

Effective Security

There are three components to an effective cybersecurity posture: people, processes and technology. All three are required. For anyone who erringly believes technology countermeasures should be able to protect people who believe they need not act responsibly, they believe in this fallacy at their own peril. The same principle applies to institutions that choose to believe that policies are unnecessary, and that everyone will simply choose to do “the right thing.”

HED institutions can work to meet the needs of these new threats in a number of ways. First and foremost, user communication, awareness and training are vital. Ensure that users are aware of these threats. Don’t try to dismiss them away, believing they either will never happen or that it “reflects badly on the institution.”

Policies and processes are equally vital. The National Institute of Standards and Technology (NIST) cybersecurity framework is the current gold standard for preparedness. There are five components to the NIST framework: Identify, Protect, Detect, Respond, Recover. There are numerous sources of information on this framework, as well as resources to help implement it.

I am continually amazed by the number of colleges and universities that do not take cybersecurity seriously and that have not implemented even basic protections and countermeasures. In this area, omission is almost inevitably a fatal mistake. If cost is an issue, this should be measured against the cost of doing nothing when the inevitable breach occurs.

A number of companies provide very good cybersecurity tools and systems that can be deployed quickly and effectively. However, while technology evolves rapidly, cybersecurity is among the fastest changing areas of all. This means that great technology can be wasted unless professionals with current expertise are involved in the design, planning and implementation of these tools. Relying on someone with 20-year-old knowledge to get this right precludes success.

Cyberattacks are escalating. HED institutions have tools and resources available to them to meet these challenges, and this should be a high priority. Taking action yet falling short is understandable, given the nature of this threat. Taking no action is unconscionable.

This article originally appeared in the issue of .

About the Author

David W. Dodd is vice president of Information Technology and CIO at the Stevens Institute of Technology in Hoboken, NJ. He can be reached at 201/216-5491 or [email protected].

Featured

  • Zurn Releases New Ductile Iron Frame Trench Drain System

    Zurn Elkay Water Solutions recently released the newest addition to its Train Drench portfolio, the Ductile Iron Frame Trench Drain System, according to a news release. The product is designed for heavy-duty applications like airports, military, universities, and more.

  • Allegion US Partners with Two Colleges for Mobile Credential Technology

    Allegion US recently announced a partnership with Florida Institute of Technology (FIT) and Denison College, in conjunction with Transact + CBORD, to install mobile credential technologies campus-wide, according to a news release. Implementing Mobile Student ID into Apple Wallet and Google Wallet will allow students access to campus facilities, amenities, and residence halls using just their phones.

  • University of Kentucky Sees Positive Results from Energy Efficiency Program

    The University of Kentucky in Lexington, Ky., recently announced the results of its Energy Program in Facilities Management, put into place eight years ago, according to a news release. Between the fiscal years of 2017 and 2025, the university’s campus grew by 13.6% while the energy use per square foot dropped by 19.2%.

  • Designing Learning Spaces that Support Student Mental Health and Wellness

    In today’s education landscape, schools are more than just centers for learning; they are integral to the holistic development and well-being of students. The global pandemic underscored the importance of addressing mental health in schools, as productivity dropped, stress levels rose and students faced challenges managing emotions.

Digital Edition