In May this year, Lincoln College in Illinois closed permanently after a cyberattack in December 2021 corrupted all internal data, leaving the college well short of enrollment and financial resources. In its 157 years of existence, it survived the Spanish flu, the Great Depression, 2008’s recession, but a critical attack on its IT and file management systems was too lethal for the college to bounce back.
The cyberattack on Lincoln College is not an isolated case. Many organizations in the education sector lack the required data security to protect student and institutional data. To make matters worse, education and research was the most targeted sector by cybercriminals in 2022. According to Check Point’s 2022 mid-year report, educational organizations face an average of 2,297 attacks every week—a 44% increase since last year.
Why Is Higher Education a Target for Cybercriminals
There are many reasons why higher education institutions are an easy target for cybercriminals. One contributing factor is their lack of digital maturity. According to Formstack’s State of Digital Maturity report, the education industry lags far behind other industries on digital maturity. This leads to many security risks and hacker entry points. Below, we cover three of them.
Extensive Repositories of Sensitive Data
Colleges and universities store a huge amount of student and staff data. While employees can be covered with mobile device management (MDM) for unified security, students do not react like employees. They access online school resources from various devices and networks, making their devices more vulnerable to data theft. On top of that, institutions are tasked to protect the PII databases of students which are often used by hackers for identity theft.
Another reason why cybercriminals prioritize breaking into academia is because of the vast amount of research papers and knowledge bases developed by reputed institutions. The right data in the wrong hands can open doors to espionage, financial loss, and reputational damage.
Different Levels of IT Infrastructure
The world of academia is by design, an open place. For centuries, it's been built on the principles of open access, minimal supervision, and maximum sharing of knowledge. But for higher ed institutions operating in the 21st century, this is a governance nightmare.
Individual departments have long used IT systems that were deployed according to their specific demands. Thanks to the decentralized security system, a university's Statistics department might have a vastly different IT structure than the English department. But since the departments are connected internally, hackers can target one department and use backdoors to eventually access more sensitive data.
Lack of Adequate Cybersecurity Talent
To solve complex and antiquated security problems, colleges and universities need superior talent in their workforce. However, the talent crunch is a crucial factor. IT and security professionals view the education sector as less rewarding than tech and business sectors.
This means that even if institutions are aware of their security shortcomings and plan to rectify them, they fail to bridge the talent gap. The absence of a proper strategy and workforce allows cybercriminals to continue to find new ways to exploit colleges and research centers.
The Most Popular Types of Cybersecurity Attacks
Since higher education is an easy target for hackers, they get to use various methods of attack. If you're planning to protect your facility, it's important to understand what the most common cybersecurity attacks are and how they happen.
The oldest mode of cybercrime is also one of the most popular when it comes to attacking higher ed institutions. Phishing is a social engineering attack that mimics verified sources to gain the victim’s trust.
Phishers use authentic-looking emails, text messages, and notifications to communicate with staff and students, except they're not coming from authentic sources. Online scams include malware-infested attachments, seedy links, and fake forms that steal data and compromise the devices of users.
These scams are effective in colleges and universities because students and staff expect frequent official communications. Phishing attacks can target individual employees, groups of students, and even parents that handle fees and payments.
Ransomware attacks are on the rise partly because of how sophisticated phishing attacks have become. When a victim is tricked into performing an intended action, the hacker then drops malware on the system. It collects all the system data, finds ways to spread to critical machines by way of email and file sharing, and eventually gets hold of data sensitive enough to put an organization into compliance chaos.
The hackers then encrypt the data that can only be accessed by institutions paying the ransom. Considering the extent of damage this information can cause in the wrong hands, victims panic and end up paying a huge amount of money. According to IBM, average ransomware attacks cost $4.62 million to victims. Hackers study human psychology, observe interactions, and mimic languages that are hard to identify as fake. It has become so advanced that hacker groups develop and sell ransomware as a service (RaaS) to others.
While phishing and ransomware attacks rely on victims to react, SQL injections can be done without human elements. SQL is a language that interacts between database servers and if you can trick a database to think the SQL is authentic, it might return with sensitive information. SQL injections are often directed at web forms and login pages. If your database contains loopholes, the malicious code can get access to login credentials.
It's easy to understand why SQL injections are so popular in higher ed institutions. Colleges and universities use myriads of password-protected applications and websites to facilitate learning and communications. Once hackers gain access to personal accounts they can retrieve data in no time.
Did you know? Formstack provides many enhanced data security tools to protect and encrypt your data to ensure a safe and secure form experiences.
Since colleges and universities have more access points than other organizations, data breaches are not an uncommon sight. This can be triggered by unauthorized employees and malicious insiders accessing critical data, stolen devices, and brute force attacks by hackers to overwhelm a network.
Data breaches take meticulous planning by hackers and they use multi-pronged approaches such as phishing, ransomware, and even DDoS to gain access at all costs.
How to Prevent Cybersecurity Attacks
Cybersecurity challenges can be tackled with a combination of upgraded infrastructure, documentation, and vigilance. Under the hood changes such as prepared statements, stored procedures, and input validation can protect against SQL injections, while frequent risk and compliance audits should be conducted to find technical loopholes. However, improving cybersecurity require user empowerment as much as new technologies.
Prevent Phishing Through Training
Phishing, in particular, relies on people's ignorance and lack of cybersecurity knowledge. Schools have more people accessing databases than a lot of companies, which makes user education a potent weapon against cybercrimes.
The most common phishing scams are done through emails and spam texts. Scammers spoof real addresses by using random IDs underneath or use cousin domains that feel real but aren't. For instance, firstname.lastname@example.org can be spoofed with email@example.com with a similar header and display image. It becomes a bigger issue on mobile since sender details are not automatically shown. Email service providers (ESPs) have gotten better at finding malicious links within emails so hackers often use attachments to hide them.
Cybersecurity training empowers the most vulnerable targets in identifying the signs of phishing, including manipulative language, urgent tone, and unusual changes. Training should have written documents, video content, and discussion sessions that can help users clear their doubts. A mix of real examples, phishing stimulation, practice, and performance tracking can elevate the general understanding of online crimes. A special emphasis should be placed on the rapid actions that must be taken once an attack is detected.
Integrating cybersecurity training within user onboarding SOPs can help teachers, staff, students, parents, and most importantly the reputation of the institution. Princeton University has a very interesting “phishing bowl” that acts as a transparent repository of phishing attempts on the institution.
Pro Tip: Cybercrimes evolve at a breakneck speed which means training shouldn't be a one-off event either. It’s best to run cybersecurity training programs on at least a quarterly basis.
Update All Systems Regularly
Apart from preparing end users, you must also prepare your devices to guard against cyberattacks. Most users perceive software updates as a nuisance to their everyday workflow and ignore them whenever possible. But it's important to remember updates don't always bring cosmetic changes—they contain security patches to improve system efficiency. Microsoft, Apple, Google, and other vendors push patches for zero-day vulnerabilities and it's always recommended to update systems whenever a fix is available.
You can override system preferences by allowing the IT department to push updates and educate users on the importance of keeping systems up-to-date. System administrators should adhere to network firewall security best practices and audit system firewalls regularly.
Companies such as Facebook, Uber, LinkedIn, and eBay have been victims of cyberattacks despite having state-of-the-art security protocols in place. Despite your best efforts, 100% protection against threats isn't guaranteed. This is more true for higher ed industries where user access is hard to track and measure. That's why it's important to draw up a rapid response strategy, should things go awry. A robust cyber program is a start. Adding new dashboards to track attacks and latest trends, drawing up policies, and improving the IT talent pool go a long way in cybersecurity.
Protect Your University From Cyberattacks
Colleges and universities deserve stronger cybersecurity protocols to instill confidence in students and researchers while finding better ways to protect the sensitive data they collect and process every day. Only by following industry standards, software best practices, and strong awareness programs can you shield your institution from hackers.
Do you have security concerns around how your university collects and stores data from students, staff, and faculty? Discover why Formstack is a trusted workflow automation tool for more than 1,000 colleges and universities.
About the Author
Irina Maltseva is a Growth Lead at Aura and a Founder at ONSAAS. For the last seven years, she has been helping SaaS companies to grow their revenue with inbound marketing. At her previous company, Hunter, Irina helped 3M marketers to build business connections that matter. Now, at Aura, Irina is working on her mission to create a safer internet for everyone. To get in touch, follow her on LinkedIn.