Universities have become popular hacking targets, joining the ranks of other top targets like finance (Capital One, Equifax), retail (Target), manufacturing and transportation.

Hackers are demanding ransomware payments, crippling entire education computer operations and capturing extensive personal data, violating the privacy of students and staff.

The issue of education sector cyberattacks moved further up in the international consciousness recently when Louisiana Gov. John Bel Edwards declared a state of emergency in response to three school districts crippled by malware attacks, which shut down phone systems and locked data.

The motivation for these attacks range from ransoming the normal workflow of a university to selling hijacked student identities. Regardless of the motivation, like other public sectors, education is now, more than ever, on cybercriminals’ radar and will continue to be one of the popular targets.

Stepping Up Cyber Attack Defences

Just keeping up with the myriad attack versions and new threats coming every day burdens universities who are already struggling to keep pace with rapidly changing technology advancements, let alone cybercriminals. In crafting a more effective defence, educational institutions have a dual challenge: executing all the risk mitigation defences that any organisation must-have in today’s cyber environment and then layering the unique aspect of student populations with their own set of user expectations.

Here are practices that can help reduce risk yet maintain a productive user experience for students and staff alike.

1. Tighten up on administrative privileges.

Cybercriminals love penetrating networks in which administrator privileges are used everywhere. Effective malware and ransomware defence demand privileges are granted only to staff that truly require them to do their job.

A university, for example, can remove full admin rights and then selectively elevate just the privileges a user needs to do their job. Ideally, an educational institution would implement technology that not only centrally manages credentials and grants granular rights, but enables staff to self-serve access as needed, based on their work function.

2. Educate employees on constant vigilance.

Some of the most costly ransomware attacks are caused by simple acts of opening email or clicking on a website. Cybercriminals are adept at employing social engineering tools that look non-threatening and encourage students and/or staff to click through links in fraudulent emails. Even tech-savvy users can fall prey, no one is exempt from too quickly opening a potentially dangerous email.

Unfortunately, basic education will not suffice to fight cybercriminals. IT staff needs to put a continuing education program in place that accomplishes two objectives: keep staff and students up to date on new cyber attack trends and introduce new employees to the universities approach to fighting cyber attacks. In addition to education, all staff and students can take phishing tests, or drills in which they click on links and receive feedback as to whether they just clicked through to a potential malware occurrence.

3. Engage students to become part of the cyber defence team.

The current generation of students is the most mobile-device friendly ever. Whether using a phone, iPad or traditional laptop, worrying about the university’s security is rarely top of mind for them. Just as IT can help train and encourage staff to be more cyber-diligent, IT can work with teachers and administrators to help students understand data breaches can affect them personally and can cause great harm to their peers and their university. 

Secondly, administrators are already using social media platforms like Facebook and Twitter to regularly communicate about university news and events. Reminders about tactics like pop-ups linking to dangerous websites, or opening texts that are not from recognised senders, can be posted for students. This gives universities two key communication channels for furthering threat prevention.

4. Stay current on all application updates.

Executing critical patches and updates is essential to prevent new attacks. It should be a top priority of IT staff and cover third party applications as well as operating systems. Microsoft regularly publishes patch updates. IT needs to flag the ones of critical nature and ensure they are accomplished.

5. Be diligent about third-party vendor risk.

If your vendors and sub-contractors have less than optimum security protocols in place, they expose the university itself, and the student population to considerable risk. Third-party risk assessments must be done for suppliers that have access to university and student data to make certain their operations meet the standards of good threat prevention.

6. Consider specific cyber insurance.

Educational organisations are increasingly adding cyber-attack coverage to their insurance policies, driven by the trend toward ransomware. Administrators and finance staff need to examine the costs of this type of coverage, weighing it against the cost of restoring operations from a system lockdown and/or privacy breach, and determine what is the appropriate level.

Keeping the issue of cyber-attacks in front of all parties – admin, IT, staff and students – is an essential step in helping to prevent costly disruption to university operations and strengthen defences against a data privacy breach.

Combining better engagement with improved security practices will help to minimise a universities threat landscape. Being aware of third-party suppliers’ approach to data security is an important part of a complete data protection strategy. Within the university’s infrastructure, consistent, up-to-date patching and tighter access controls are a relatively economical means of adding more layers of data protection, compared to the millions of dollars of potential recovery costs after an attack.