The Yahoo data breach that compromised the passwords of about half a billion users is just the latest but perhaps largest cybercrime incident. The fallout could be far from over as users who recycle the same passwords for multiple accounts may still be at risk. Retailers, healthcare organizations, financial institutions, government agencies and others have also been victimized by attackers who are as sophisticated and organized as they are ruthless.
Higher education is a frequent but often overlooked target — some estimates suggest that 17 percent of data breaches in which personal information is compromised involve higher education. According to the Symantec Internet Security Threat Report for 2015, the education sector reported the third highest number of data breaches, resulting in the exposure of more than 1.3 million identities. Penn State, Harvard and Johns Hopkins are just a few of the big-name universities that were hacked in 2015.
Colleges and universities have what cybercriminals crave – personally identifiable information such as financial data, medical records and Social Security numbers. Even confidential research information can be sought after by hackers. This high-value data can then be sold to the highest bidder on the black market. In fact, some experts believe the sale of stolen data has become more profitable than drug trafficking.
Hackers know a soft target when they see one. Most students, especially incoming freshmen, are unaware of cybersecurity threats. According to a survey from EdTech, three in 10 breaches were traced back to “unintentional disclosure” caused by phishing email scams, misuse of social media and other careless activity. Students also tend to use their own devices and applications, creating a management nightmare for higher education IT teams.
At the same time, security strategies can conflict with the desire to ensure accessibility in higher education. Institutions want to make it easy for current and prospective students, faculty, alumni, donors and members of the community to connect, get involved and use school resources. Many schools continue to use legacy systems that are more vulnerable to attack than those of corporations that invest heavily in security technology, expertise and training.
The steps higher education needs to take to reduce data breach incidents go far beyond technology upgrades. Prevention is the first step. Implementing access control policies, such as multifactor authentication, will make it more difficult for unauthorized users to access sensitive data. All data should be encrypted while in transit and at rest, using the latest protocols, and consumer-grade data sharing tools should be prohibited. Schools also need to develop a formal policy for IT security and conduct ongoing training with students and faculty.
The second step is to assume a data breach will occur anyway. How will suspicious activity be detected? How will a threat be contained? When breaches occur, how will you respond to each incident? How will information about an incident be communicated, and by whom? What steps will be taken to ensure a similar incident doesn’t happen again? Incident response plans need to be tested regularly to ensure that swift, decisive action is taken.
Don’t wait until a data breach occurs to put an IT security strategy in place. Take steps now to minimize cybersecurity risks, protect the sensitive data of students and staff, and preserve the integrity of your institution.