Cybersecurity Attacks

Last year was a banner year for higher education — and not in a good way. 2016 marked a significant increase in the frequency and severity of cyberattacks on colleges and universities.

Cybersecurity firms and leading analysts had several consistent warnings for 2017. Denial-of-service attacks will grow in number and severity, ransomware will continue to grow, “fakes” in general are escalating rapidly, state-sponsored attacks will escalate, internal threats will increase and by 2020 a third of successful attacks on enterprises will be on their shadow IT resources. As bad as 2016 was, 2017 is already proving to be far worse.

Colleges and universities are excellent targets for cyberattacks. Though not in the same class as financial institutions, they typically have fairly open networks with relatively low levels of security, do less filtering of network and email content than other organizations and still have sizable budgets with the largest proportion usually relating to salaries. This is where “spear phishing” enters the picture.

Spear Phishing

“Spear phishing” is an example of a category of attacks called social engineering. This area has been called “hacking the head” because these cyberattacks skirt perimeter defenses such as firewalls and go directly to users. Spear phishing uses the most creative and convincing means to trick users into making a mistake, and hence compromise themselves. In many cases, this involves volunteering their username and password to the malicious agents who can then use the credentials to access any number of systems, including HR and payroll systems. If hackers can get a payroll direct deposit rerouted to one of their own accounts, the haul can be impressive. Note that this is essentially paid for by student tuition dollars. Despicable, yes. And too often successful.

The timing of a spear phishing attack is equally stunning. As reported from research studies, the median time for the first user of a phishing campaign to open the illegitimate email is 1 minute 40 seconds, with the average time for all recipients being 3 minutes 45 seconds to click on the malicious attachment. In 93 percent of cases, it took attackers minutes or less to compromise systems. Data exfiltration occurred within minutes in 28 percent of cases. Essentially, the damage is so quick that intervention is nearly impossible. Couple this with the fact that research also shows approximately twice as many people click malicious links as admit they do. For whatever reason, lack of awareness, embarrassment, denial or other, many people effectively default into their demise.

Effective Security

There are three components to an effective cybersecurity posture: people, processes and technology. All three are required. For anyone who erringly believes technology countermeasures should be able to protect people who believe they need not act responsibly, they believe in this fallacy at their own peril. The same principle applies to institutions that choose to believe that policies are unnecessary, and that everyone will simply choose to do “the right thing.”

HED institutions can work to meet the needs of these new threats in a number of ways. First and foremost, user communication, awareness and training are vital. Ensure that users are aware of these threats. Don’t try to dismiss them away, believing they either will never happen or that it “reflects badly on the institution.”

Policies and processes are equally vital. The National Institute of Standards and Technology (NIST) cybersecurity framework is the current gold standard for preparedness. There are five components to the NIST framework: Identify, Protect, Detect, Respond, Recover. There are numerous sources of information on this framework, as well as resources to help implement it.

I am continually amazed by the number of colleges and universities that do not take cybersecurity seriously and that have not implemented even basic protections and countermeasures. In this area, omission is almost inevitably a fatal mistake. If cost is an issue, this should be measured against the cost of doing nothing when the inevitable breach occurs.

A number of companies provide very good cybersecurity tools and systems that can be deployed quickly and effectively. However, while technology evolves rapidly, cybersecurity is among the fastest changing areas of all. This means that great technology can be wasted unless professionals with current expertise are involved in the design, planning and implementation of these tools. Relying on someone with 20-year-old knowledge to get this right precludes success.

Cyberattacks are escalating. HED institutions have tools and resources available to them to meet these challenges, and this should be a high priority. Taking action yet falling short is understandable, given the nature of this threat. Taking no action is unconscionable.

This article originally appeared in the issue of .

About the Author

David W. Dodd is vice president of Information Technology and CIO at the Stevens Institute of Technology in Hoboken, NJ. He can be reached at 201/216-5491 or [email protected].

Featured

  • Rice University to Build New Student Life Complex

    Rice University in Houston, Texas, recently announced that a groundbreaking ceremony for the upcoming Moody Center Complex for Student Life (MCCSL) will take place on May 8, 2025, according to a university news release. The 75,000-square-foot facility was designed by architecture firm Olson Kundig with Page serving as executive architect, and it has an estimated completion date of fall 2027.

  • Boosting Student Wellness and Safety Through Indoor-Outdoor School Spaces

    Engaging students through facilities designed for indoor and outdoor learning and activities reflects a growing awareness of how children learn and thrive, with educators recognizing the importance of getting outside and disconnecting from technology. And, as today’s youth grapple with the urgent mental health crisis of increased anxiety and loneliness fueled by both the pandemic and technology, along with a related crisis in youth physical health, the wellness benefits of getting outside have never been so palpable.

  • Thomas F. Frist, Jr. College of Medicine

    Established in 1999, the Education Design Showcase is a vehicle for showing off innovative — yet practical — solutions in planning, design, architecture, and construction. Thomas F. Frist, Jr. College of Medicine has been recognized with an EDS 2025 Project of Distinction award in the category of New Construction.

  • Active Learning Classroom

    Striking a Balance: The Keys to Renovating Science Education Buildings for the 21st Century

    The recent renovation of the Durham Science Center at the University of Nebraska-Omaha (UNO) provides a roadmap for facilities managers tasked with balancing budget constraints, modern pedagogical demands, and long-term sustainability.

Digital Edition