Cybersecurity Attacks

Last year was a banner year for higher education — and not in a good way. 2016 marked a significant increase in the frequency and severity of cyberattacks on colleges and universities.

Cybersecurity firms and leading analysts had several consistent warnings for 2017. Denial-of-service attacks will grow in number and severity, ransomware will continue to grow, “fakes” in general are escalating rapidly, state-sponsored attacks will escalate, internal threats will increase and by 2020 a third of successful attacks on enterprises will be on their shadow IT resources. As bad as 2016 was, 2017 is already proving to be far worse.

Colleges and universities are excellent targets for cyberattacks. Though not in the same class as financial institutions, they typically have fairly open networks with relatively low levels of security, do less filtering of network and email content than other organizations and still have sizable budgets with the largest proportion usually relating to salaries. This is where “spear phishing” enters the picture.

Spear Phishing

“Spear phishing” is an example of a category of attacks called social engineering. This area has been called “hacking the head” because these cyberattacks skirt perimeter defenses such as firewalls and go directly to users. Spear phishing uses the most creative and convincing means to trick users into making a mistake, and hence compromise themselves. In many cases, this involves volunteering their username and password to the malicious agents who can then use the credentials to access any number of systems, including HR and payroll systems. If hackers can get a payroll direct deposit rerouted to one of their own accounts, the haul can be impressive. Note that this is essentially paid for by student tuition dollars. Despicable, yes. And too often successful.

The timing of a spear phishing attack is equally stunning. As reported from research studies, the median time for the first user of a phishing campaign to open the illegitimate email is 1 minute 40 seconds, with the average time for all recipients being 3 minutes 45 seconds to click on the malicious attachment. In 93 percent of cases, it took attackers minutes or less to compromise systems. Data exfiltration occurred within minutes in 28 percent of cases. Essentially, the damage is so quick that intervention is nearly impossible. Couple this with the fact that research also shows approximately twice as many people click malicious links as admit they do. For whatever reason, lack of awareness, embarrassment, denial or other, many people effectively default into their demise.

Effective Security

There are three components to an effective cybersecurity posture: people, processes and technology. All three are required. For anyone who erringly believes technology countermeasures should be able to protect people who believe they need not act responsibly, they believe in this fallacy at their own peril. The same principle applies to institutions that choose to believe that policies are unnecessary, and that everyone will simply choose to do “the right thing.”

HED institutions can work to meet the needs of these new threats in a number of ways. First and foremost, user communication, awareness and training are vital. Ensure that users are aware of these threats. Don’t try to dismiss them away, believing they either will never happen or that it “reflects badly on the institution.”

Policies and processes are equally vital. The National Institute of Standards and Technology (NIST) cybersecurity framework is the current gold standard for preparedness. There are five components to the NIST framework: Identify, Protect, Detect, Respond, Recover. There are numerous sources of information on this framework, as well as resources to help implement it.

I am continually amazed by the number of colleges and universities that do not take cybersecurity seriously and that have not implemented even basic protections and countermeasures. In this area, omission is almost inevitably a fatal mistake. If cost is an issue, this should be measured against the cost of doing nothing when the inevitable breach occurs.

A number of companies provide very good cybersecurity tools and systems that can be deployed quickly and effectively. However, while technology evolves rapidly, cybersecurity is among the fastest changing areas of all. This means that great technology can be wasted unless professionals with current expertise are involved in the design, planning and implementation of these tools. Relying on someone with 20-year-old knowledge to get this right precludes success.

Cyberattacks are escalating. HED institutions have tools and resources available to them to meet these challenges, and this should be a high priority. Taking action yet falling short is understandable, given the nature of this threat. Taking no action is unconscionable.

This article originally appeared in the issue of .

About the Author

David W. Dodd is vice president of Information Technology and CIO at the Stevens Institute of Technology in Hoboken, NJ. He can be reached at 201/216-5491 or [email protected].

Featured

  • Anderson Brulé Architects Rebrands as ABA Studios

    Anderson Brulé Architects, based in San Jose, Calif., recently announced that it is celebrating 40 years of service by rebranding under a new name, according to a news release. The architectural, interior design, and planning firm will now be known as ABA Studios to refresh its identity underneath a new generation of leadership.

  • California Boarding School Opens New Inquiry Collaborative Facility

    Cate School, a boarding school in Carpinteria, Calif., for students grades 9–12, recently announced that it has finished renovating a historic dining hall into a new academic hub, according to a news release. The school partnered with Blackbird Architects and Tangram Interiors on the two-story, 16,000-square-foot Inquiry Collaborative.

  • Los Angeles City College Breaks Ground on New Administration, Workforce Building

    Los Angeles City College (LACC) in Los Angeles, Calif., recently broke ground on a new $72-million administrative facility, according to a news release. The Cesar Chavez Administration and Workforce Building will stand four stories, cover 67,230 square feet, and play home to a wide variety of the school’s educational and administrative services.

  • KI Launches K–12 Classroom Furniture Giveaway

    Contract furniture company KI recently announced the launch of its fourth-annual Classroom Furniture Giveaway, which awards $50,000 each to four K–12 educators across the U.S., according to a news release. The goal is to address decreasing student engagement and increasing teacher burnout numbers by updating learning spaces to accommodate modern needs.

Digital Edition