When it comes to cyberattack targets, many think of retailers and associated credit card transactions or customer information, or perhaps healthcare providers with their ever-increasing storage and transmission of electronic information related to patients. But colleges and universities are increasingly under siege from hackers. In fact, the education sector, according to recent reports, comes in third place, right after the healthcare and retail sectors, in the number of security breaches.
Recent statistics reveal that from 2006 through 2013, over 500 universities reported a data breach (and many more attacks may have been unreported). The trend continues in 2015, when already hackers have targeted large universities in Pennsylvania, Virginia, and Connecticut. In the Pennsylvania incident, over 18,000 students and faculty were affected. So what is behind the targeting of educational institutions?
Many universities conduct sophisticated research, whether in engineering, the sciences, or other disciplines. Schools can be a proving ground for new or emerging technologies and innovation. These sophisticated research programs often partner with U.S. government agencies or industry. Accordingly, schools can serve as a beachhead for other nations and foreign companies seeking to gain competitive advantages, whether economic, political, technological, or militarily. By hacking into university systems, not only can the attackers gain access to sensitive data held by the schools, but those systems can also be used as a jumping point into government computers or corporate networks.
According to an FBI white paper titled “Higher Education and National Security,” the systems and open environment of U.S. college campuses may be misused in order to:
- Steal technical information or products
- Bypass expensive research and development
- Recruit individuals for espionage
- Exploit the student visa program for improper purposes
- Conduct computer intrusions
- Collect sensitive research
The FBI’s white paper reports that attackers use various methodologies to conduct computer intrusion, including sending phishing emails with malware attached and exploiting social networking sites. Computer hackers, including foreign governments, are capable of breaching firewalls and exploiting vulnerabilities in software used by universities. According to the FBI, U.S. universities receive large numbers of unsolicited requests for information and millions of hits on their Web servers on a daily basis.
To combat these trends, colleges and universities should look to strengthen the security of their networks and deploy sophisticated monitoring and auditing tools. Schools should also be prepared to respond to the inevitable data breach by identifying where sensitive information is stored, prioritizing resources to protect that information, documenting an incident response plan, and rehearsing response strategy and scenarios with their incident response team.
And it is not just research or industrial secrets that are of concern. Once attackers are inside the school’s network, they may be able to move freely within it, accessing other systems that contain student, faculty, and staff information such as Social Security numbers, credit card information, and even academic records. Of course, access to this information can run afoul of federal regulations, such as the Family Educational Rights and Privacy Act (FERPA) as well as numerous state data breach notification laws. Although schools may be difficult targets to defend due to the open nature of campuses and less strict control over hardware and software that students and faculty use, in the wake of a data breach regulators will still look to see that schools had in place appropriate technological and administrative safeguards to protect sensitive information.