Over the past three years, institutions of higher learning have experienced an extremely high number of cybersecurity breaches. The year 2014 was a notable one for school hacks, with four significant breaches at major universities: 300,000 records at the University of Maryland; 300,000 records at the University of North Dakota; 200,000 records at Butler University (in Indiana); and 146,000 records at Indiana University. But when university-affiliated medical systems are included in the list, the largest breach to date was a 2015 data breach at UCLA Health System, which exposed 4.5 million records. In 2015, there were 550 reported cybersecurity breaches at colleges and universities.
Verizon's 2016 Data Breach Investigations Report ranked the education industry sixth overall for the total number of reported security incidents in the U.S. last year. This was higher than two other industry sectors that have drawn a great deal of attention with recent large security breaches: healthcare and retail. More recently, in June 2017, University College London experienced a major ransomware attack, which threatened Britain's National Health Service (NHS) computer infrastructure.
Why Colleges and Universities Are Vulnerable
Colleges and universities gather and utilize a huge amount of information about students, parents, faculty and important research for the public and private sectors. Every fall, these players shuffle in and out of the system, compounding the challenge posed in protecting their data. A cybersecurity breach could open the door to a ''virtual buffet of valuable data,'' including the bank account, credit card and health information of both students and parents. But in addition to these more obvious risks of participant identity theft, colleges and universities are prone to unique risks. For instance:- Universities often house their own medical centers and hospitals, which also are subject to a high rate of data breaches with significant consequences.
- Academic services, including the SAT and ACT testing programs, are susceptible to breaches that could compromise an entire college admissions process.
- Colleges and universities serve as a clearinghouse for innovative research in the science, technology, engineering and math (STEM) fields, all of which are frequently and rather easily targeted by foreign governments in surreptitious support of their own businesses.
- Activist groups originating or operating from campus are exposed to foreign intelligence service monitoring and cyberattacks.
- Phishing: In 2015, almost a third of users opened emails that were designed to have them click on a malicious link or download malicious software attachments.
- User Education: Busy student and faculty schedules force cybersecurity training and awareness programs to the bottom of the list behind teaching and learning.
- Cloud Security: Cloud computing is a long-sought answer to many storage problems, but there is a great deal of due diligence required for cloud security that is not fully appreciated.
- High-profile information security strategy: Security frequently doesn't top the list of learning leaders' priorities. With cyber risk on the rise, it is vital to get the full attention of executive offices and governing boards and establish comprehensive strategies with the buy-in and oversight of these leaders.
- Next-generation security technology planning: With IT resources often not on a par with those of the corporate world, it can be difficult for colleges and universities to assure that their security tools are as up to date as possible.
- Governance over data security: For decentralized universities, it can be very difficult to govern data security.
- Unsecure personal devices: The proliferation of devices brought to campus by faculty members and students creates a challenge for the security staff to integrate those devices into enterprise-wide security systems.
What's a Governing Board to Do?
A recent Harvard Business Review Study sought to understand, ''Why Boards aren't dealing with Cyber threats.'' The study's findings are particularly relevant for college and university governing boards:- Most board members of any organization will agree that cybersecurity is an urgent global issue, and with the rash of cyberattacks flooding the media, it's impossible to deny; but these same board members at colleges and universities may simply not be making ''the connection between the pervasiveness of cyber threats and their companies' vulnerabilities,'' particularly the vulnerabilities unique to their institutions cited above.
- Despite the known threat and the acknowledgment of its urgency, many officers and board members remain focused on more traditional financial, legal and reputational matters, relying on IT departments that ''better understand the risks and solutions'' to address cybersecurity risk. To many, these solutions are viewed as purely technical risks and as better addressed by the experts.
- Most importantly, the study concludes that ''directors simply aren't internalizing the extensive, long-term damage an attack could inflict on their organizations.''
Media Highlights
Environmental, social and governance (ESG) issues have become more complex and multifaceted than ever before. At the same time, ESG continues to ascend on board and leadership agendas.
In this buyer’s guide, we explore what a market-leading ESG solution should look like and highlight the key areas organisations should be prioritising as they embark on their search.