Higher education institutions are treasure troves for hackers. Colleges and universities are huge repositories of research data, sensitive information for large populations of applicants and enrolled students (personal, academic, financial and health data), as well as sensitive personal and tax information for all faculty and staff. Higher education information systems are particularly valuable targets for cyberattacks. In the wake of a series of cyberattacks on several prominent colleges and universities, higher education institutions would be well-advised to review their current security posture, breach preparedness, and cyber insurance coverage.
Reports of a recent cyberattack affecting eight colleges and the central administration at an elite university in New England came on the heels of a hack of an engineering college in Pennsylvania, exposing personal information of at least 18,000 people and other sensitive data. These follow numerous other reported attacks against colleges and universities this past year, including reports of an extortion attack against a major medical research university; hacks of three Midwestern universities affecting almost 600,000 students, staff, faculty and alumni; and a hack of a Mid-Atlantic university affecting more than 300,000 faculty, staff, and students.
According to a 2014 Ponemon Institute study on cybercrime, the mean cybercrime costs for U.S. entities in the education and research sector was $8.1 million for fiscal year 2014, and $9 million across a five year average. More than 55% of the cybercrimes experienced across all industry sectors were caused by denial of services attacks, malicious insiders, and malicious code.
Beyond detecting, containing, and eradicating a cyber incident, navigating state data breach laws can present additional challenges for the higher education sector. Higher education institutions often have geographically diverse student bodies, potentially implicating many of the 47 state data breach notification laws (Alabama, South Dakota, and New Mexico are the only three states without data breach notification laws). Failure to provide timely notifications can increase government scrutiny and the risk that affected individuals may not be able to take precautions, such as enrolling in identity theft protection and credit monitoring, to prevent or lessen resulting harm.
Higher education institutions should ensure they have incident response plans in place, and that they test those plans with pre-breach tabletop exercises. They should also conduct risk assessments on their information systems to evaluate their current security posture in order to identify and reduce vulnerabilities. To mitigate the risk of attack, higher education institutions should implement all reasonable applicable security controls, as recommended by the National Institute of Science and Technology and the SANS Institute. These include a layered defense and the monitoring of ingress and egress data - which may aid in identifying the source of an attack. These and other proactive actions can also reduce the overall costs of a breach. Since risk cannot be completely mitigated by technology, higher education institutions should also review their existing insurance policies and confirm they have adequate cyber insurance. While cyber insurance will not prevent a cyberattack, it may substantially mitigate its economic impact.