A couple of recent reports I’ve looked at highlight the extent of threats that universities and higher education establishments face from cyber-attack. Symantec’s 2016 report shows that higher education has moved into the number two spot behind healthcare in terms of the number of attacks. And the EDUCAUSE Center for Analysis and Research found 562 reported data breaches at 324 higher education institutions between 2005 and 2014. That represents roughly 15.5 million records.
So, what could explain this degree of threat and the volume of attacks? In my view, it comes down to two main factors. The first is that higher education is a ‘target-rich’ environment. Universities look after student, parent, alumni and personnel databases. They also manage financial information, private health records and they process transactions. All of these, of course, make them subject to a whole host of regulatory regimes.
Many universities are also home to some cutting-edge research and development departments whose work creates potentially valuable patents as well as trade-secret related data. Taken together, there are plenty of attractive targets for a wide range of would-be cyber intruders.
Second, is the very open nature of the university. That’s part of every university’s foundational purpose, of course. They are places that encourage and promote the free exchange of ideas and information. On a more prosaic level, they are also home to a constantly changing population of students, researchers, academics and staff. And then there’s the proliferation of ‘Bring Your Own’ devices and the elements of the digital classroom—from eBooks, to smartboards, to iPads to online learning—that all want access to the network. That multitude of connected devices significantly expands the attack surface that a university presents.
Universities face all the familiar challenges of cybersecurity – from phishing attacks to unsecured personal devices and from a lack of security awareness to identify and access management – but need to contend with them in the context of a highly distributed technology environment. Open networks may not be properly monitored for unauthorized access, unsafe internet surfing habits and malware infections.
Various faculties run their own IT and security departments, which makes the enforcement of streamlined security practices very difficult. In some cases, faculties will have computing devices for specific projects or to store scientific data that don’t adhere to central IT security policies and standards. And this results in distributed data repositories with improper data classification.
Finally, most higher education institutions also lack the formal governance structures to address security and compliance. It’s rare to find roles such as a Chief Information Security Officer (CISO), or well-established compliance teams. Their absence makes it hard for any university to implement and manage centralized IT security policies and standards.
Overall, the nature of what higher education institutions do and how they’re organized exposes them to some unique challenges when it comes to cybersecurity. But in my view, there’s plenty that they can do to address them without compromising the openness and freedom of intellectual exchange that underpins their success.
Please leave a comment or visit www.accenture.com/digitalstudent.
Visit www.accenture.com/MDRHigherEd to learn more about our Managed Detection & Response for Higher Education.