Over the past three years, institutions of higher learning have experienced an extremely high number of cybersecurity breaches. The year 2014 was a notable one for school hacks, with four significant breaches at major universities: 300,000 records at the University of Maryland; 300,000 records at the University of North Dakota; 200,000 records at Butler University (in Indiana); and 146,000 records at Indiana University. But when university-affiliated medical systems are included in the list, the largest breach to date was a 2015 data breach at UCLA Health System, which exposed 4.5 million records. In 2015, there were 550 reported cybersecurity breaches at colleges and universities.
Verizon's 2016 Data Breach Investigations Report ranked the education industry sixth overall for the total number of reported security incidents in the U.S. last year. This was higher than two other industry sectors that have drawn a great deal of attention with recent large security breaches: healthcare and retail. More recently, in June 2017, University College London experienced a major ransomware attack, which threatened Britain's National Health Service (NHS) computer infrastructure.
Why Colleges and Universities Are Vulnerable
Colleges and universities gather and utilize a huge amount of information about students, parents, faculty and important research for the public and private sectors. Every fall, these players shuffle in and out of the system, compounding the challenge posed in protecting their data. A cybersecurity breach could open the door to a 'virtual buffet of valuable data,' including the bank account, credit card and health information of both students and parents.
But in addition to these more obvious risks of participant identity theft, colleges and universities are prone to unique risks. For instance:
- Universities often house their own medical centers and hospitals, which also are subject to a high rate of data breaches with significant consequences.
- Academic services, including the SAT and ACT testing programs, are susceptible to breaches that could compromise an entire college admissions process.
- Colleges and universities serve as a clearinghouse for innovative research in the science, technology, engineering and math (STEM) fields, all of which are frequently and rather easily targeted by foreign governments in surreptitious support of their own businesses.
- Activist groups originating or operating from campus are exposed to foreign intelligence service monitoring and cyberattacks.
A recent survey of chief information security officers noted factors making the challenges faced by their educational institutions even more difficult:
- Phishing: In 2015, almost a third of users opened emails that were designed to have them click on a malicious link or download malicious software attachments.
- User Education: Busy student and faculty schedules force cybersecurity training and awareness programs to the bottom of the list behind teaching and learning.
- Cloud Security: Cloud computing is a long-sought answer to many storage problems, but there is a great deal of due diligence required for cloud security that is not fully appreciated.
- High-profile information security strategy: Security frequently doesn't top the list of learning leaders' priorities. With cyber risk on the rise, it is vital to get the full attention of executive offices and governing boards and establish comprehensive strategies with the buy-in and oversight of these leaders.
- Next-generation security technology planning: With IT resources often not on a par with those of the corporate world, it can be difficult for colleges and universities to assure that their security tools are as up to date as possible.
- Governance over data security: For decentralized universities, it can be very difficult to govern data security.
- Unsecure personal devices: The proliferation of devices brought to campus by faculty members and students creates a challenge for the security staff to integrate those devices into enterprise-wide security systems.
Another significant factor that heightens vulnerability derives from the college's or university's in loco parentis role over the lives of students. Colleges and universities are subject to many regulations that impact them to a greater degree than other institutions. Institutions of higher learning need to comply with the Family Educational Rights and Privacy Act (FERPA); the Federal Information Security Management Act of 2002 (FISMA), which imposes specific safeguard requirements for colleges and universities that maintain sensitive information in connection with government contracts and grants; and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In addition to their traditional duties of care and loyalty, college and university governing boards need to assure compliance with the extremely complex requirements of these federal laws and any applicable state and local regulations.
What's a Governing Board to Do?
A recent Harvard Business Review Study sought to understand, 'Why Boards aren't dealing with Cyber threats.' The study's findings are particularly relevant for college and university governing boards:
- Most board members of any organization will agree that cybersecurity is an urgent global issue, and with the rash of cyberattacks flooding the media, it's impossible to deny; but these same board members at colleges and universities may simply not be making 'the connection between the pervasiveness of cyber threats and their companies' vulnerabilities,' particularly the vulnerabilities unique to their institutions cited above.
- Despite the known threat and the acknowledgment of its urgency, many officers and board members remain focused on more traditional financial, legal and reputational matters, relying on IT departments that 'better understand the risks and solutions' to address cybersecurity risk. To many, these solutions are viewed as purely technical risks and as better addressed by the experts.
- Most importantly, the study concludes that 'directors simply aren't internalizing the extensive, long-term damage an attack could inflict on their organizations.'
Governing boards of institutions of higher learning need to understand that while cybersecurity risk is unique and the risk of cyberattacks is certainly different from more traditional strategic, financial, operational, hazard and reputational risk, it is important that the board make cybersecurity risk an integral part of the institution's existing governance and risk management framework. Governing board members should seek to educate themselves about the nature of the risks cited above. They need to play a proactive strategic role in the cyber risk management decisions of their colleges or universities.