Schools, colleges and universities are increasingly in the cross hairs of hackers. Privacy Rights Clearinghouse claims 30 educational institutions in the US saw data breaches last year, five of which experienced larger breaches than the infamous attack on Sony. This isn’t unusual. Open Security Foundation claims 15% of data breaches since records began have happened at US educational institution.
is it safe?
When students hand over their personal and financial details during enrolment, they are probably unaware that US colleges and universities suffer data breaches at a rate of just over one per week. They account for 17 percent of reported data breaches, second only to the healthcare industry.
The three biggest breaches at educational establishments in the US across the last two years include:
- University of Maryland: Records of over 300,000 students, faculty and staff including names, birth dates, University ID and social security numbers.
- North Dakota University: A server containing names and social security numbers of 300,000 people.
- Butler University: Names, birth dates, driver's licenses, social security numbers, and bank account information for 200,000 people.
The information hackers gather from these attacks is often good enough to engage in ID fraud. The records held by these institutions can go back years, so numerous people may be affected. In response to each successful hack, the exposed institution then faces the time and expense of informing those whose data may have been compromised. Not to mention the huge inconvenience to anyone whose ID is stolen.
This is not just in the US. In Australia one hacker attacked both FIT College and South West TAFE to protest the need for “better security” across college systems.
Schools are also attractive targets for ID theft because it can take years before anyone realizes an attack took place. Children find out when they hit 18 and discover they already have huge debt against their name. This is a severe problem: the 2012 Child Identity Fraud Report found that one in 40 households had a child who was a victim of ID fraud.
balancing risk with openness
Being an easy target for personal data is not the only motivation for hacking colleges.
Attackers may want to use college networks from which to launch attacks, create botnets or to set up online services that hijack bandwidth from the college.
Universities are also full of valuable intellectual property and research which may be of value to other organizations, enterprises or foreign powers.
Clearly it’s a big and a recognised problem. So why are education systems such easy targets? Mostly it’s a cultural thing.
Colleges and universities had access to the Internet years before the public. They used it for research and collaboration.
"It's been a long-standing concern that our culture of collaboration and trust kind of flies in the face of the need for security to be more closed, more alert and more skeptical and cynical," said Rodney Petersen, senior policy adviser for SecuriCORE, a higher education information security project at Indiana University.
Campus diversity also creates challenges. Educational institutions must support multiple platforms and devices and may support a widely dispersed technology infrastructure, with assets situated across campus and beyond. It only takes one or two systems to be left vulnerable for hackers to get into the network.
BitSight Technology last year observed that the level of security on campus ebbs and flows during the year, likely in response to the influx of students and devices on campus networks. The security researchers note that those institutions with the best security all have a dedicated CISO or Director of Information Security on staff.
In response to the growing threat, educators must tighten up security, balancing the need to maintain open communications against the need to protect critical data.
Many have begun creating new networks on which they deploy business systems such as tuition processing or employee payroll, said James Robinson, director of security for Accuvant.
Some institutions may move to adopt the ISO 27001 standard which can help organizations/institutions across any size, sector, or industry implement internationally-recognized best practices in cybersecurity.
Take a look at what Orange Business can do for your security and some good common sense advice on what to do if you happen to detect an IT security incident.
Jon Evans is a highly experienced technology journalist and editor. He has been writing for a living since 1994. These days you might read his daily regular Computerworld AppleHolic and opinion columns. Jon is also technology editor for men's interest magazine, Calibre Quarterly, and news editor for MacFormat magazine, which is the biggest UK Mac title. He's really interested in the impact of technology on the creative spark at the heart of the human experience. In 2010 he won an American Society of Business Publication Editors (Azbee) Award for his work at Computerworld.