America’s colleges and universities are becoming a playground for cyber criminals. Without regulation, their open networks and BYOD (Bring Your Own Device) culture makes them an easy target for online attacks. Read on to discover the reasons our institutions of higher education get a failing grade for cyber security.
U.S. Schools Have Poor Security Ratings and Results
The Massachusetts online security rating firm, BitSight Technologies, recently assessed the Internet security measures of America’s Ivy League, Big 12, Big 10, Pac-12, ACC, and SEC schools. Their study looked at a student population of more than 2.25 million and a network footprint in excess of 11 million IP addresses.
The institutions were rated on a scale from a low of 250 to a high of 900. The schools averaged around 600, well below the retail and healthcare sectors — both of which have suffered several well-publicized breaches. When students were on campus between September and May, most colleges lost an additional 30 points.
“From Social Security and credit card numbers to health records and intellectual property produced by research departments, colleges and universities house a vast amount of sensitive data,” explained BitSight Technologies co-founder and chief technology officer Stephen Boyer. “While not surprising given the unique challenges universities face securing open campus networks, it’s concerning to see that they are rating so far below other industries that we’ve seen plagued by recent security problems.”
BitSight Technologies’ ratings are supported by concrete data from Educause Center for Analysis and Research, which found that there were 562 reported cyber security breaches at 324 unique educational institutions across the United States between 2005 and April 25, 2014. That amounts to more than one reported breach a week. With many breaches going unreported and even undetected, the actual figures are bound to be much higher. Of the breaches that are reported, 77 percent occurred at America’s colleges and universities.
One such online breach saw more than 300,000 staff, student, and faculty records from the University of Maryland exposed in February 2014. In May 2014, 163,000 student, applicant, faculty, staff, and graduate records were stolen from Butler University in Indiana as a result of cyber crime.
In August 2014, Joseph W. Langford, a student from Utah’s Weber State University, was charged with hacking into university and faculty computers. While it’s unclear exactly what information was accessed, the personal details of 1,200 people using the breached computers between January and April 2014 may be at risk.
Many Colleges and Universities Don’t Employ Information Security Staff
It’s not coincidental that the schools that came out on top of BitSight Technologies’ study have a dedicated Chief Information Security Officer or Director of Information Security on staff. All schools with a rating of 700 or more from BitSight Technologies employed one of these online security professionals. “These schools should serve as an example for other colleges to benchmark their performance against,” Boyer said.
Trained online security professionals can watch for malware infections and other cyber threats, especially when security performance typically dips during the school year. Early detection of these problems can help prevent the spread of malware before they do extensive damage.
Most Institutions Don’t Have Formal, Up-to-Date Plans in Place
The BYOD trend has been embraced by universities and colleges, with 95 percent allowing personal laptops to use school networks and 89 percent permitting students to use any personal device on campus. Yet 61 percent of schools say they don’t have a formal BYOD policy. And even when they do, it seems few people know about it, with further studies suggesting just 23 percent of students are aware of their school’s BYOD strategy.
Instituting a formal BYOD policy has been shown to improve cyber security significantly but only if it’s managed correctly. It should be updated whenever new technologies are introduced to the networks, yet more than three in five schools with a BYOD policy admit they don’t do this. Less than a quarter of schools with a BYOD policy update this document annually, and 17.8 percent admit that they never update their BYOD policy at all.
Institutions Don’t Know What Devices Are Using Their Networks
Studies show that many institutions of higher education are unaware of what devices are using their networks. Fifty-six percent use a Network Access Control solution for self-registration and BYOD automation, while 16.7 percent have a manual register of devices. However, it’s disturbing to note that 20.7 percent don’t consider the type of device when granting access, and less than half require devices to have antivirus software installed before accessing the school network. This lack of awareness and regulation of best practices is putting school networks at risk.
What Can On-Campus Students, Administrators, and Faculty Do?
Until the higher-ups take steps to improve security on campus, it’s up to the administrators, educators, and students that use these networks to make their own efforts to stay safe. Educause found that unintended disclosure of account information, hacking, and malware were the top three reasons security breaches occurred on campus, so individuals should take steps to protect themselves from these factors.
Colleges and universities often have computer labs with many computers designed for shared use. It’s smart to avoid using these computers for high-risk activities like online banking. When using them to access emails or student records, it’s important to always log out once you’re done. Remember to keep your usernames and passwords secure to make sure others don’t access your accounts. It’s smart to create complex passwords using a combination of letters, numbers, and symbols, or even use a password manager to create and store hard-to-crack passwords.
Individuals shouldn’t be complacent when they engage in BYOD practices. While the device might not be shared, the network still is. A virtual private network (VPN), such as HotSpot Shield, encrypts your data so it can’t be read by others sharing the network. It’s important to use a VPN in conjunction with antivirus software. Ensure this and your operating system are updated regularly for the best protection.
While it’s alarming that America’s colleges and universities are failing at cybersecurity, it probably shouldn’t be surprising. Until these higher-education institutions beef up their online security systems, it’s up to administrators, educators, and students to protect themselves on campus.