False Sense of (Cyber) Security: Data Breaches in Higher Ed
False Sense of (Cyber)Security:
Data Breaches in Higher Ed
Data breaches are the scourge of any business that is responsible for sensitive cardholder data—and higher education institutions are not exempt. In fact, information security ranks #1 when it comes to critical IT issues for the higher education space, according to a report by EDUCAUSE, a higher education technology association.
While mega-retailers catch a lot of heat for hacks and breaches, higher ed seems to be unaffected. This is a false sense of (cyber)security. The truth is, breaches impact all types of organizations negatively. Not only are they costly—the average cost per stolen record of sensitive data in higher ed is $245—but they do significant damage to the reputation of the breached entity. Yet, many higher education institutions believe they are immune.
They are not.
A Look at Higher Education Data Breaches in 2018
In March, nine Iranian hackers breached 144 US universities (among other targets), and the totality of their spree resulted in 31 stolen terabytes of data worth roughly $3.4 billion in intellectual property. Spear phishing emails were the primary tool used to perpetrate these attacks on universities; by sending the emails to professors and other university affiliates, they were able to entice them to click on malicious links to enter network login credentials. The hackers were able to steal 15 billion pages of data from the organizations they breached.
It’s not just payment card data that’s at risk, either. In August, a breach at Augusta University Health exposed the health and personal information of 417,000 people. While many were patients, some faculty and students fell victim to the breach as well.
Eastern Maine Community College of Bangor also experienced a breach in 2018. A computer virus was able to access the personal data (name, address, and Social Security Number) of roughly 42,000 people. The affected group was not limited to current students, either; students from as far back as 1998 and workers from 2008 through 2018 were potential victims to the breach. A simple open or click of a malicious file or link was all it took to initiate the spread of the virus throughout the network, making it extremely difficult to combat.
The University of Buffalo was also breached in 2018, compromising the account information of thousands of students, alumni, faculty, and staff. After visiting a non-university website and logging in with their university account credentials, users’ login information was stolen. While the vice president and chief information officer was adamant that immediate steps were taken to address the problem, the reality is that more attention needs to be paid to preemptive measures rather than reactive ones.
In fact, one area where higher education IT professionals do seem to be on par with retailers is in having this reactionary state-of-mind. One of the biggest industry-agnostic issues is that organizations do not have a proactive cybersecurity strategy in place to prevent breaches. Instead, they operate on a “how can we fix this basis.”
Take Yale, for example. The Ivy League school revealed in August of last year that it had been breached 10 years prior. The breach was believed to have occurred between April 2008 and January 2009, exposing the personal details of 119,000 people. That is a big event that was not even discovered for ten years, until June 16, 2018.
Not only is this type of cybersecurity response reactionary...it’s slow, ineffective, and dangerous.
The Early Bird Catches the Hacker
Universities must do better. They are responsible for the sensitive data of students, families, employees, donors, customers, patients, and more. This wealth of data requires a fine-tuned, proactive and preemptive cybersecurity strategy that accounts for PCI compliance as well as common sense measures.
It also calls for programs to help educate students, staff, and faculty about phishing schemes and how to avoid handing over account credentials to nefarious actors. Establishing training programs can allow members of the university community to dodge phishing schemes and empower them to report suspicious digital activity to the right people.
Other tools are important, too. Spam-filtering solutions with anti-phishing capabilities should be installed across the network. Using web-filtering programs that block phishy websites can be another way to squash cybercriminals before they edge in.
Adding these types of controls is a beginning, but working with an experienced partner like Arrow Payments can elevate your security game to the next level. We have deep experience building security strategies for universities that protect the payment information of students, customers, donors, and anyone else in your network.
Protect your reputation—and your bottom line—from the damage a data breach can cause. Contact us today to get proactive with your cybersecurity.