Educational institutions, both K12 and higher education, are hacked on a regular basis, the situation shows no signs of improving. The implications of any data theft are huge: reputational, legal, economic and operational. Future funding may be affected, as well as possible loss of future student fees and associated income. An article in the Huffington post last year gave examples of 5 colleges with data breaches even larger than the Sony breach.
Here are a few examples of recent education data breaches:
Universities UK, an organization comprising the chief executives of UK Universities working to support and promote the UK higher education sector, commissioned a report looking into approaches to implementing cybersecurity in higher education institutions at an executive level.
Their suggestions on how to provide suitable cyber security appear very similar to approaches any large company should be tackling:
The nature of, and reliance on, the data plus a wide set of activities requires a set of targeted cyber security models appropriate and proportionate for their assets.
Data is relied on for the successful operation of the institution as well as a requirement for research and the production of further data. It can be the main intellectual asset, sometimes politically or commercially sensitive and essential for the university to meet its commercial or academic needs. Just consider the nature of climate change data, or medical records. Or it could be enterprise data, on students, finances, and HR: subject to the usual data protection laws.
The implications of any data theft are huge: reputational, legal, economic and operational. Future funding could be affected, as well as possible loss of future student fees and associated income. Prosecution and other penalties could arise, or the loss of intellectual property assets. There may even be damage to infrastructure that cripples the activities of the institution.
The personal and financial data stored on university data systems is of great value to the cyber-criminal. However, commercial data can be of interest to corporate spies and scientific or grant-related research can be targeted by nation-state backed groups.
Even university infrastructure, with its large bandwidth and powerful servers, is a target for hackers. It can be hijacked and used to direct attacks on other external systems. When the New York Times’ computer systems were hacked in 2013, the subsequent investigation found that the attacks had been directed through compromised computers at US universities.
The threats faced by educational institutions are the same as ever.
the list goes on!
However, the nature of the University campus and network is the real difference between higher-education establishments and the corporate network. Made up of many, sometimes dispersed, networks; the university network infrastructure is the corporate security officer’s nightmare. But this is not down to any lack of foresight or ignorance on campus IT security. It is far from it. The educational environment and historically open campus mean there is not the tight security focussed infrastructure that corporate networks exemplify.
A regular flux of undergraduates; researchers and graduates collaborating and sharing data globally; visiting academics; “bring your own device” infrastructures long before the business even considered it. These are environments where the concept of tight data security has traditionally been unhelpful or even unwanted. When an institution thrives on the free exchange of data and ideas, it cannot easily apply the same security measures as larger businesses do.
There is a fine-balance on what has to be allowed and what security measures can be put into place. Security in all organizations, commercial or academic, is a trade-off between the likelihood and potential impact of an attack and the financial cost or loss of utility that are incurred in defense. Increasing online threats and tough new penalties for data breaches are forcing universities to take cybersecurity more seriously than ever.
One successful approach has been to segment and partition campus networks as much as possible so that the most sensitive and valuable data can be protected adequately while allowing for relatively open parts of the network to support educational and research needs. This can be complex and requires detailed risk analysis, management prioritization and associated security measures. In fact, this is an approach that is starting to be seen in corporate networking. The dangerous ‘outside world’ and the safe local network is the old-fashioned view of things. The DMZ that used to sandbox the systems shared between both WAN and LAN is now being considered as the protected zone to secure servers from both the outside and internal worlds: using security systems that monitor the network for behavioral anomalies, rather than rely on perimeter-based protection.
And here, universities may be ahead of the corporate world.
The TitanHQ team have worked on email anti-spam solutions for schools, web filtering for education and email archiving for schools for over 20 years. We have a deep understanding of the web security issues that all schools and colleges have protecting students, school staff, and visitors.
Cybercriminals want your data - don't give it to them! Start protecting your educational organization from costly breaches and fines today. Web security is critical to protecting your data. Try a fully supported WebTitan trial today.
Sign-up for email updates...