Cybersecurity Attacks

Last year was a banner year for higher education — and not in a good way. 2016 marked a significant increase in the frequency and severity of cyberattacks on colleges and universities.

Cybersecurity firms and leading analysts had several consistent warnings for 2017. Denial-of-service attacks will grow in number and severity, ransomware will continue to grow, “fakes” in general are escalating rapidly, state-sponsored attacks will escalate, internal threats will increase and by 2020 a third of successful attacks on enterprises will be on their shadow IT resources. As bad as 2016 was, 2017 is already proving to be far worse.

Colleges and universities are excellent targets for cyberattacks. Though not in the same class as financial institutions, they typically have fairly open networks with relatively low levels of security, do less filtering of network and email content than other organizations and still have sizable budgets with the largest proportion usually relating to salaries. This is where “spear phishing” enters the picture.

Spear Phishing

“Spear phishing” is an example of a category of attacks called social engineering. This area has been called “hacking the head” because these cyberattacks skirt perimeter defenses such as firewalls and go directly to users. Spear phishing uses the most creative and convincing means to trick users into making a mistake, and hence compromise themselves. In many cases, this involves volunteering their username and password to the malicious agents who can then use the credentials to access any number of systems, including HR and payroll systems. If hackers can get a payroll direct deposit rerouted to one of their own accounts, the haul can be impressive. Note that this is essentially paid for by student tuition dollars. Despicable, yes. And too often successful.

The timing of a spear phishing attack is equally stunning. As reported from research studies, the median time for the first user of a phishing campaign to open the illegitimate email is 1 minute 40 seconds, with the average time for all recipients being 3 minutes 45 seconds to click on the malicious attachment. In 93 percent of cases, it took attackers minutes or less to compromise systems. Data exfiltration occurred within minutes in 28 percent of cases. Essentially, the damage is so quick that intervention is nearly impossible. Couple this with the fact that research also shows approximately twice as many people click malicious links as admit they do. For whatever reason, lack of awareness, embarrassment, denial or other, many people effectively default into their demise.

Effective Security

There are three components to an effective cybersecurity posture: people, processes and technology. All three are required. For anyone who erringly believes technology countermeasures should be able to protect people who believe they need not act responsibly, they believe in this fallacy at their own peril. The same principle applies to institutions that choose to believe that policies are unnecessary, and that everyone will simply choose to do “the right thing.”

HED institutions can work to meet the needs of these new threats in a number of ways. First and foremost, user communication, awareness and training are vital. Ensure that users are aware of these threats. Don’t try to dismiss them away, believing they either will never happen or that it “reflects badly on the institution.”

Policies and processes are equally vital. The National Institute of Standards and Technology (NIST) cybersecurity framework is the current gold standard for preparedness. There are five components to the NIST framework: Identify, Protect, Detect, Respond, Recover. There are numerous sources of information on this framework, as well as resources to help implement it.

I am continually amazed by the number of colleges and universities that do not take cybersecurity seriously and that have not implemented even basic protections and countermeasures. In this area, omission is almost inevitably a fatal mistake. If cost is an issue, this should be measured against the cost of doing nothing when the inevitable breach occurs.

A number of companies provide very good cybersecurity tools and systems that can be deployed quickly and effectively. However, while technology evolves rapidly, cybersecurity is among the fastest changing areas of all. This means that great technology can be wasted unless professionals with current expertise are involved in the design, planning and implementation of these tools. Relying on someone with 20-year-old knowledge to get this right precludes success.

Cyberattacks are escalating. HED institutions have tools and resources available to them to meet these challenges, and this should be a high priority. Taking action yet falling short is understandable, given the nature of this threat. Taking no action is unconscionable.

This article originally appeared in the issue of .

About the Author

David W. Dodd is vice president of Information Technology and CIO at the Stevens Institute of Technology in Hoboken, NJ. He can be reached at 201/216-5491 or [email protected].

Featured

  • MiEN Releases White Paper on Community College Space Innovation

    MiEN Company recently released a new white paper called “Designing New Innovative Spaces for Community Colleges” to address the needs of community colleges post-pandemic, according to a news release. The eight-page guide by Dr. Christina Counts, MiEN Company VP of Education and Marketing, covers topics like the enrollment drop that these schools have seen since COVID-19, the roles they play in higher education and local workforces, and five suggested key changes that can improve students’ experiences.

  • Image courtesy of Armstrong International

    The Modern Hot Water System Approach to Keep Higher Education Buildings Safe and Operational

    Higher education campuses face unique structural and operational demands. With a range of old and new buildings, a variety of facility types, and ambitious sustainability goals, it's essential that no aspect of infrastructural performance is overlooked. Facility managers must be equipped to provide a safe, reliable and efficient space for students, faculty and guests.

  • ProTeam Launches GoFit 6 HEPA Backpack Vacuum

    Technology leader Emerson recently introduced the new ProTeam GoFit 6 HEPA backpack vacuum, according to a news release. The vacuum was designed to capture 99.97% of particulates down to 0.3 microns—including atmospheric hazards like lead dust, mold spores, and other particulates—through an advanced filtration system.

  • Aims Community College to Build Workforce Innovation Center

    Aims Community College in Greeley, Colo., recently announced that it has broken ground on its new Aims Workforce Innovation Center (AWIC), according to a news release. The facility for workforce development, entrepreneurship, and education has a scheduled opening date of fall 2026.

Digital Edition