In 2014, five of the largest data breeches recorded by Privacy Rights Clearinghouse involved educational institutions, and the trend to target universities has only continued with more than one million records inappropriately accessed this year in the education sector.
Back in February, the University of Central Florida experienced a data breach that affected 63,000 current and former students and staff whose names, social security numbers, student identification information and extracurricular records were potentially accessed.
While not the primary focus of criminals and scammers, colleges and universities still face the same cybersecurity threats of any modern business. Research data can be potentially useful to foreign or corporate interests. And student information is highly valuable for identity thieves and other fraudsters.
What Types of Cyberthreats Does Your Campus Face?
Back in 2015, Cisco estimated that the number of devices contained within the Internet of Things (IoT) was roughly 15 billion, and the organization anticipates that this number will increase to 50 billion devices by 2020.
This explosion of smart devices used by both students and faculty on campus has greatly increased the volume of access points that can be exploited by hackers and criminals. And your campus only places itself at greater risk if it supports a bring your own device (BYOD) program.
According to Kasperksy Lab, half of the world’s mobile devices are not sufficiently protected from cybercrime and malicious threats. And equally concerning for any student data downloaded to these devices, reportedly 34 percent of smartphone users in the United States do not lock or password protect the information contained on their phone.
Social engineering via social media
As today’s college student spends a large percentage of their time on Facebook, Twitter and other social media platforms, scammers have increased their focus on these platforms as well. With such a large pool of candidates and the ability to easily create fake profiles, phishing and other social engineering attacks have grown rampant.
A recent report suggested that 40 percent of Facebook accounts and 20 percent of Twitter accounts purporting to represent a global 100 brand were fraudulent.
Of course, more traditional avenues for these attacks can be equally damaging. Earlier this year, a community college in Virginia fell victim to an email-based phishing attack that exposed the personal information of more than 3,000 current and former employees.
One area of risk that should not be overlooked is the potential risk posed by a tech-savvy student body. The more well-educated your students become, particularly those individuals studying IT security, the increased likelihood that at least one will use these new-found skills to access your campus’s proprietary data. These attempts may not even be malicious and considered to be a “prank,” but the risk still exists.
How Can You Protect Your Campus?
As part of its cybersecurity strategy, your campus should institute a security awareness program that touches all areas of your faculty and administration. Offer training that clearly outlines how to protect and manage campus data, devices, and system access. Provider refreshers every year, or better yet, every semester.
Consider creating classes or workshops for students on the proper — ethical — use of devices and campus networks, as well as on what steps they can individually take to protect their personal information.
Employ automated monitoring tools that can track data access and identify potential network intrusions. If possible, create a tiered architecture that limits access to appropriate users and device types.
If your campus has a BYOD policy establish clear security requirements, including mandatory security software and location detection settings.
Beyond monitoring your network, keep an eye on campus web sites and social media assets to make sure that all interactions are legitimate.
For more information on creating a cybersecurity strategy for your campus, check out our data security awareness course to learn about best practices for security policies, procedures, and behaviors.