When evaluating and comparing risk and controls across industries, one can conclude that higher education is relatively unique. With the exception of highly endowed private institutions, most institutions are struggling to maintain their community footprint and provide the opportunities they offered prior to the COVID-19 pandemic. Methods of learning have largely migrated to online environments, and the desire to attend classes in a physical classroom has decreased significantly. As a result, there is a need for oversight and controls to be revisited in certain higher education institutions.
Unfortunately, malicious cyberactors understand that it can be difficult for some institutions to enhance information security controls to support their increasing demand for online education. As a result, hackers have used their knowledge of this to take control of the websites of numerous colleges and universities. Cyberattackers hold such institutions’ websites hostage until a ransomware payment is made. While ransomware attacks are not uncommon in other industries, colleges and universities have become prime targets for such events. Surprisingly, education is the sector that is most affected by malware attacks when compared to other industries such as business and professional services, retail and consumer goods, and high tech.1 An analysis of ransomware campaigns within higher education found that ransomware attacks against colleges and universities have more than doubled since the onset of the COVID-19 pandemic.2 Worldwide, 64% of organizations in higher education and 56% of those in lower education suffered ransomware attacks in 2021.3
This changing landscape demands more thorough oversight of risk. Without it, there will likely be an increase in higher education institutions becoming victims of cyberattacks and being forced to make ransomware payments. When a cyberactor is successful at holding an institution’s website for ransom, the institution’s website becomes disabled for students, faculty and staff. The negative impact may be exacerbated by the time of the year during which it occurs. For example, if a university or college website became inaccessible at the beginning of the semester, faculty would struggle to make connections with students. Students who may be tentative about learning online could grow increasingly discouraged and withdraw from their studies. If an event happened at the end of the semester, specifically during final exam week, it is possible that faculty would not be able to administer the necessary exams and students would not receive their diplomas in the predefined time frames. The administration could be at a loss to find funds to cover a ransomware payment to restore functionality of the institution’s network. Longer term, if an event such as this occurs, reputational damage may be difficult to quantify. However, the institution may experience a decline in online enrollment after a known attack occurred, because it takes time to rebuild trust with the public.
Rethinking Controls in Higher Education
There are competing priorities for attention and funding at universities and colleges while they continue to create new identities for themselves as online or hybrid institutions. The US Department of Education is focused on decreasing equity gaps and helping students who may not have had the same opportunities and mentoring as other students. Focusing on ways to serve students by helping them learn is of paramount importance.
As a result, there is a need for a delicate balance between focusing on how to attract and retain students while keeping the institution guarded and protected from malicious attackers. The goal of higher education is to instruct and educate its students. It may be difficult to succeed with this mission if the proper preventive and detective information security controls are not in place.
There is a need for a delicate balance between focusing on how to attract and retain students while keeping the institution guarded and protected from malicious attackers.
The following actions can help higher education institutions strengthen controls and reduce the risk of unauthorized attacks on their networks:
- Utilize a model enterprise risk management (ERM) framework such as the Committee of Sponsoring Organizations (COSO)’s Enterprise Risk Management—Integrating With Strategy and Performance framework4 or the International Organization for Standardization (ISO) standard ISO 310005 to ensure that the board of directors (BoD) or trustees understands the key risk areas to the college or university and what controls are in place to prevent or detect risk. While these types of frameworks are common in the enterprise space, they may not be as well established in higher education. As a result, it is important to garner the BoD’s support for monthly updates. Periodic updates increase transparency of potential risk and may lead to additional resource allocation to address higher risk areas such as potential cyberthreats.
- Because most US institutions of higher education receive federal financial aid, they are considered financial institutions under the US Graham Leach Bliley Act (GLBA).6 As such, governing boards should be aware of risk levels and what controls are in place to protect the institution and allow it to remain compliant with regulations.
- Confirm the cost of the tools and resources required to reasonably protect the institution from a ransomware attack and confirm whether the cost of the mitigation techniques aligns with the institution’s risk appetite.
- Ensure that a risk-based approach is taken to evaluate vendor contracts. Evaluate the data shared with each vendor. Confirm the vendor’s responsibility in the event of a data breach with the institution’s data. Most colleges and universities do not have the same type of resources dedicated to vendor management as other industries. In light of the limited support of resources for vendor governance, additional attention must be paid to contracts because they are the primary control for protecting the institution.
- Enable Security Assertion Markup Language (SAML) or single sign-on (SSO) for all applications. Smaller vendors that specialize in niche market support may lack the robust technical support offered by more advanced applications. Without SAML or SSO in place, it is possible for an authorized user to log in to these applications outside of their work obligations, or worse, continue to maintain access after termination, since their login credentials may not be associated with their work email.
- Ensure that cyberinsurance is available. Insurance enterprises are becoming more cautious about issuing cyberinsurance policies to institutions of higher education. Premiums continue to rise for this market. However, cyberinsurance is designed in part to help mitigate the financial risk related to extortion.
- Implement annual training to prevent phishing schemes from succeeding. Well-known phishing schemes include emails from the president or provost of the college asking individuals to take immediate action. While cyberprofessionals may find this inherently suspicious, it may not seem unusual for those who have received little or no cyber training.
- Unlike financial institutions, public colleges and universities are generally open to sharing their specific issues, controls and risk factors with each other. While this can be beneficial for leveraging best practices, it also can be a deterrent to implementing better solutions or enhanced controls. If an institution feels it is reducing risk or has stronger controls than their colleagues, it may not feel an urgency to remediate known control weaknesses.
- Colleges and universities tend to have decentralized vendor purchases. As a result, multiple departments may procure similar or competing vendor solutions. To help reduce vendor exposure and to enhance financial strength, a process to consolidate and review vendor purchases should be implemented to avoid redundancies and leverage existing licenses.
- Stress the importance of documented updated and approved policies, especially regarding user access, accessibility of archived data, removing users upon termination and monitoring access for consultants.
- Ensure that data classification protocols are in place and review the methods for storing and transmitting confidential or personally identifiable information.
- If possible, only use college- or university-owned equipment to access the school’s network and email.
Similar to small businesses, colleges and universities have limited resources and must make difficult budgeting decisions when it comes to strengthening their cyber controls. In financial services, some tasks such as limiting the use of Universal Serial Bus (USB) drives can be easily mandated, while that may not be possible in higher education. As result, alternative methods must be deployed. A primary method of reducing risk is increasing awareness through training and reinforcing good cyber protocols. Not only will this help higher education institutions, it will also help students learn a valuable skill: how to keep their own data safe by improving their abilities to detect harmful cyberschemes.
Endnotes
1 Scholz, S.; W. Hagen; C. Lee; “The Increasing Threat of Ransomware in Higher Education,” Educause Review, 22 June 2021
2 BlueVoyant, Cybersecurity in Higher Education 2022, February 2021
3 Pattison-Gordon, J.; A. Adams; “How Does K-12, Higher Education Fare in a Ransomware Attack?” Governing, 7 August 2022
4 Committee of Sponsoring Organizations (COSO), Enterprise Risk Management—Integrating With Strategy and Performance, USA, 2017
5 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 31000 Risk Management, Switzerland
6 Federal Trade Commission (FTC), Gramm-Leach-Bliley Act, USA
Kathleen Martin, CISA, CRISC
Is the risk compliance officer for Bristol Community College (Fall River, Massachusetts, USA). Prior to working in higher education, she served as an audit, internal controls and enterprise risk management leader for enterprises such as CitiStreet, JPMorgan and Santander.