Today’s attackers recognize that, in the interest of avoiding costly outages, higher education institutions are highly motivated to pay ransomware demands, making them potentially lucrative targets.
Note: The views expressed by guest bloggers and contributors are those of the authors and do not necessarily represent the views of, and should not be attributed to, Campus Safety.
Ask people which sector they consider most vulnerable to cyberattacks, and most will probably say finance. A few might say government, some others might say tech. Chances are, no one would say education — but the truth is that educational institutions are targeted by attackers at an alarming rate.
As many as eight in 10 school IT professionals acknowledge that their institutions have been hit with ransomware attacks within the past year alone, and these incidents can have dire consequences — just ask Illinois’ Lincoln College, which was forced to shut its doors last year following a catastrophic cyberattack.
Attacks on colleges and universities show no signs of slowing down, and 2023 has already seen significant attacker activity directed at a wide range of institutions. Simply put, schools are vulnerable and attackers know it. Limiting risk exposure and improving their ability to protect the identities of their students, faculty, staff, and alumni must be a top priority if colleges and universities want to stop these attacks and avoid becoming easy targets.
Colleges and Universities Are Prime Targets
Part of what makes colleges and universities attractive to attackers is the sheer volume of data they collect. Even local community colleges accumulate a significant amount of personal information from students, including Social Security numbers, financial information, credential data, disciplinary records, and more — and they usually keep it for a long period of time. That sort of information is a treasure trove for attackers who can either sell it on the dark web or use it to carry out identity theft, financial fraud, extortion schemes, or other criminal activities.
Protecting that data is critical but colleges and universities face an uphill battle. The shift to remote learning has taxed IT and security teams and many institutions continue to struggle following the rapid digital transformation spurred by the COVID-19 pandemic. The new systems and solutions needed to support distance learning have resulted in considerable increases in traffic and capacity, which not every institution is equipped to support. Additionally, campus WiFi networks are notoriously vulnerable, usually requiring just a simple username and password combination, and many lack protections like multifactor authentication (MFA).
Colleges and universities are also particularly susceptible to ransomware attacks. Service outages are never good for any organization, but for institutions relying on remote and hybrid learning models, any downtime can effectively cripple operations. Colleges and universities know this — and so do attackers. Today’s attackers recognize that, in the interest of avoiding costly outages, higher education institutions are highly motivated to pay ransomware demands (and pay them quickly), making them potentially lucrative targets.
Identity Challenges Make Education Especially Vulnerable
Colleges and universities are perhaps most vulnerable to attacks targeting identities due in no small part to the vast numbers of identities they need to manage. Even small colleges onboard thousands of new students each year, and graduate thousands more. Professors change roles, staff members move around, and students become alumni. Managing permissions for each of those identities is no small task but failure to do so can create dangerous openings for attackers.
It’s generally advisable to operate on a “principle of least privilege” model, in which identities have access to only the data or areas of the network they need to perform their essential functions. That way, if an identity is compromised, the organization’s exposure is limited. For instance, a student majoring in humanities probably shouldn’t be able to access the medical data nursing students use. Likewise, a staff member in the financial aid department probably doesn’t need access to human resources systems. After all, imagine an identity with access to both HR and financial aid falling into the hands of an attacker, and the damage that attacker could do. When identities are overprovisioned (granted excessive permissions), they become very dangerous. But students, staff, and faculty change roles all the time, and keeping up with those changes can be a significant challenge.
Failure to limit data access and effectively manage permissions can leave the institution exposed in other ways, as well. The government and military often fund research at universities, as do technology and pharmaceutical companies. That research often involves classified information or valuable intellectual property — both of which attackers would love to get their hands on. Failure to effectively manage which identities have access to that data can leave it dangerously exposed to those seeking to carry out corporate or international espionage. No research partner will be thrilled to learn that their data was stolen because a university failed to effectively manage its permissions and entitlements.
Making Strides Toward Better Protection
Higher education is particularly vulnerable during the “back-to-school” period when new students are onboarding and countless roles are changing. Some students are becoming teaching assistants or resident assistants or moving on to graduate studies. Some are becoming research assistants or starting a medical residency. Assigning (and maintaining) appropriate entitlements for these ever-changing roles can be difficult, and the back-to-school period can be especially troublesome.
Fortunately, it doesn’t have to be. There are several simple steps institutions can take to more effectively protect themselves from today’s most common attacks:
- Automate the process of onboarding, offboarding, and role-changing. This is the most important step. Modern identity management solutions can assign permissions according to predefined categories and roles. This eliminates the potential for human error when assigning permissions and helps avoid common issues like overprovisioning or forgetting to close down a dormant account. Administrators can even set an expiration date for certain permissions, after which they must be either revoked or renewed.
- Implement a periodic review process. For identities with access to particularly sensitive information, a sponsor should regularly review their permissions to determine whether they are still accurate or necessary. This helps ensure that a student who leaves a research project does not maintain their access, or that a medical student who has graduated no longer has access to patient information, for example.
- Establish a system for access requests. Sometimes identities do require access to data outside their usual purview, and it’s important to have a system in place designed to validate and streamline those requests. The friction created by access requests is one of the primary causes of overprovisioning: sometimes it’s just easier to grant blanket access than to deal with frequent requests. Simplifying the request process can reduce that friction and limit the need for overprovisioning.
- Address ransomware through Privileged Access Management (PAM). One of the first things attackers target is backup systems since they are key to recovering from a ransomware attack. Effective PAM capabilities can protect privileged credentials and prevent adversaries from getting their hands on them, limiting the potential damage of an attack.
- Establish a clear patch management strategy. Failure to install updates and patches in a timely manner can leave systems highly vulnerable. Attack vectors into university systems often go through unpatched servers or compromised credentials, and ensuring that up-to-date protections are in place is critical.
- Generate buy-in through awareness training. Finally, it’s important for everyone — students, staff, and faculty — to understand why certain behaviors put them and the institution at risk. Putting security measures in context can illustrate why a policy that seems cumbersome is actually necessary, helping to generate much-needed buy-in. Phishing awareness training can help them spot potential scams, while solutions like URL defense technology can identify when a link in an email is legitimate (and not leading to a malware site).
Limiting Risk in the Education Sector
Today’s attackers aren’t just after money — they’re after data, and compromised identities are often the easiest way to get it. The volume and complexity of identities managed by higher education institutions make them a natural target for attackers, and as many colleges and universities struggle to adapt to an increasingly digital world, stopping them isn’t always easy. Adopting a more comprehensive (and automated) approach to identity and entitlement management is a crucial first step for today’s institutions, limiting their risk exposure and helping them avoid becoming easy prey for attackers.
Ben Cody is Senior Vice President, Product Management at SailPoint, an identity management solutions provider.
If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!