Dive Brief:
- Universities continue to be "highly vulnerable" to cyberattacks, but those most at risk also tend to have the financial resources to protect themselves, according to a new report from Moody's Investors Service.
- Institutions house a wide range of student records, sensitive research and medical information in potentially leaky networks. Additionally, that data is often dispersed among several campuses with "countless access points" on each; global interconnectedness also poses a risk.
- However, budget constraints may make it difficult for colleges to keep up their defenses as threats grow more complex. Moody's identified 101 data disclosures at U.S. institutions in 2017, an increase from 15 in 2014. It expects the "upward trend" to continue.
Dive insight:
"Cyberattack types have evolved faster than mitigating measures," Moody's analysts wrote. They list a handful of examples at colleges and universities across the U.S., including a hack of a web application at Georgia Tech that resulting in data on 1.3 million current and former students, applicants, staff and others.
Grinnell, Hamilton and Oberlin colleges were the target of hackers that stole applicant records and then tried to sell the information back to the students, according to the analysts. They also highlighted a multiyear conspiracy by nine foreign nationals who allegedly stole 31 terabytes of academic data and intellectual property from 176 institutions in 21 countries; the 144 affected U.S. institutions paid more than $3.4 billion to reclaim the stolen information, "potentially devaluing the stolen research."
The Chronicle of Higher Education reports that colleges and universities are vulnerable to three types of attacks: increasingly sophisticated phishing, where emails dupe recipients into handing over sensitive information; ransomware, which gives hackers control of a machine or server; and denial of service attacks, which use a data overload to shut down a network.
Moody's analysts also highlighted as a concern cyber espionage, through which state-sponsored groups try to gather proprietary research that in many cases is supported by the federal government and related to defense.
In response, colleges are tightening up hardware, software and security protocol, such as by requiring extra layers of user authentication. Others are using informational campaigns that promote cybersecurity best practices among students, faculty, staff and others on campus. One security expert told Education Dive last year that secure systems require access control, material encryption and logs that show who has used the data.
Some institutions are even hiring chief privacy officers, EdSurge reported, though it notes only four in 10 have a person on staff dedicated to information security. Last year five universities joined forces to develop OmniSO, a shared operations center that helps them detect and mitigate threats.