In March 2018, the U.S. Department of Justice indicted nine Iranian citizens who committed state-sponsored cyberattacks against 144 U.S. universities, 176 foreign universities across 21 countries, and other organizations. According to the Department of Justice, the attackers targeted more than 100,000 e-mail accounts of professors from around the world and successfully compromised almost 8,000 of those accounts.
Over the course of the attack, which began in at least 2013, hackers stole more than 31 terabytes of academic data and intellectual property; the department estimates that it cost U.S. universities more than $3.4 billion to obtain the data collected.
As colleges and universities are increasingly targeted by cyber criminals, protecting data has become a top priority for campus leaders. Between 2015 and 2016, cyberattacks on universities increased 40 percent. “If you’re not worried, you should be,” says George Baroudi, vice president for information technology and chief information officer at Long Island University (LIU), Brookville, N.Y., in a recent NACUBO webcast, Cybersecurity: A Primer for Higher Education Leadership. “Cybersecurity is not an IT issue; it’s a business issue.”
Higher education institutions are storehouses of data—including student, alumni, research, and financial data—and intellectual property. Because they are also committed to openness in the name of learning, they can be attractive targets for malicious cyber criminals. While openness and security can sometimes be at odds, institution leaders must commit to security measures that make sense for protecting their information, along with their institutions’ integrity and reputation.
Data Security Means Business
Once upon a time, IT professionals sat in a room by themselves and waited for people across campus to call in for tech support, Baroudi says. But as campuses and business offices became increasingly digitized, “we became the architects of the information system,” he says. “We must understand the CFO’s job and how to deal with all the business elements in order to make appropriate decisions about data. Chief information officers have become business officers more than anything else to ensure data integrity.”
Protecting data is important because data are a strategic asset for institutions, especially in the digital era, adds Keith McIntosh, vice president and chief information officer at the University of Richmond, Richmond, Va., and NACUBO board member. “We need access to actionable information in all areas of the institution to make informed decisions, to measure and improve, and to operate efficiently and effectively,” he says. “Protecting data is a critical enabler of our ability to confidently perform our duties, operate the institution, and accomplish our mission of educating students.”
Fraud can lead to huge balance sheet losses. For instance, cyber criminals are increasingly using business e-mail compromise (BEC), also known as CEO fraud, in which they spoof company e-mail accounts and impersonate executives to fool an employee in accounting or HR into executing unauthorized wire transfers or sending out confidential tax information. In 2017, MacEwan University in Edmonton, Canada, was defrauded of $11.8 million in such a case.
In addition to potential stolen funds, there are a number of other financial costs related to such breaches, such as data analytics, legal costs, media consulting, credit monitoring for affected parties, data recovery and reconstruction, possible fines, new equipment, and training. According to a study from the Ponemon Institute, a Michigan-based research center dedicated to privacy, data protection, and information security policy, data breaches that involved a negligent employee or contractor cost organizations an average of $283,281. If the incident involves an imposter or thief who steals credentials, the cost more than doubles to an average of $648,845.
And a breach can become a public relations nightmare, deterring students and families from choosing a particular institution. “I suspect students, as well as families, expect institutions to provide reasonable protections for the data we collect and to ensure we are considering privacy concerns,” McIntosh says. “We have a responsibility to provide physical security for our students while entrusted in our care. We also have the same responsibility to protect their data.”
The reputational damage of a data breach “cannot be underestimated,” adds Mark Oster, national managing partner at Grant Thornton, who also presented during the webcast. “It’s a very, very costly problem to have to solve.”
Understanding the Threats
There are a number of different types of cyber threats to higher education institutions, and BEC has become one of the leading threats. Sometimes, criminals use phishing—sending out e-mails to lots of people to see who will take the bait and unknowingly initiate a phony wire transfer, commit tax fraud, or modify direct deposits. In other cases, criminals use spear phishing, which are e-mails targeted to a specific person that seem to come directly from the institution’s president or other campus official, Oster says.
There are also other types of threats that can wreak havoc on a college or university. Denial of service (DOS) attacks can lock your system and make it unusable. In some cases, criminals will gain access to your system and install malware or ransomware, which can give them access to sensitive information or lock your staff out of your network until you pay a ransom.
In an effort to make staff more aware, the IT department at one university sent institutionwide communications notifying staff that they should not use unauthorized flash drives on their computers. To test whether the communication was working, the IT team scattered a few flash drives on a campus parking lot, Oster says. When employees picked them up and tried to use them in their computers, they received a warning message from the IT department reminding them not to use unauthorized drives.
On another campus, an employee found a CD in the copy room marked “2017 salary data.” Curious, the employee opened the file on his computer and the CD installed malware, which “logged and transmitted his every key stroke to a bad guy,” Oster says.
Because data breaches can occur through a variety of means—including unintentional user errors, rogue insiders, or hackers—it’s crucial that colleges and universities cover all their bases for security. That includes instituting safety procedures, conducting ongoing trainings, and performing regular checks to ensure that protocols are being followed.
An important step in accomplishing information security on campus is to give IT leaders a seat at the business office table. “IT alone cannot protect our data to the extent necessary,” McIntosh says. “We need everyone to know, understand, and practice good data hygiene.”
McIntosh advises business officers to know and understand basic cybersecurity issues, such as the CIA triad, which stands for confidentiality, integrity, and availability. “Confidentiality revolves around the principle of least privilege, integrity ensures that the information is not tampered with in transit or at rest, and availability ensures that information is available when needed,” he says.
Business officers should have regular discussions about cybersecurity with their CIOs and their boards, usually as part of their audit and compliance committee. “Typically, these discussions center around cyber risk, data management, business continuity, disaster recovery, and audits,” McIntosh says. “There are more compliance and regulatory requirements surfacing each year.”
Finally, business officers should help champion cybersecurity awareness and appropriate controls to mitigate risks across the institution. At Long Island University, IT leaders have worked closely with business officers and other campus leaders to design and implement a cybersecurity plan across six campuses with an enrollment of 22,000 students. The plan includes the following four components:
1. Data classification. LIU started by classifying the types of data, based on the amount of risk that they pose to the institution. For instance, restricted or confidential data include the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), and other highly controlled information. Private data, which represent a moderate level of risk, include things such as home addresses, ethnicities, and salary information. Public data, such as press releases, course information, and research publications, represent little or no risk.
2. Assignments of data responsibility. After classifying all the institution’s data, LIU assigned different departments to share the responsibility for each type of data. For instance, the registrar’s office and the information technology office share responsibility for FERPA student records. Both departments are required to grant privileges and access to such data, Baroudi says.
“At every level of the institution, all LIU employees are considered data custodians,” he adds. “For instance, faculty are the data custodians of grades and department chairs are data custodians of GPA data.” There is also a small, elite group of “super users” with access to review and modify privileged and confidential information—and all super users undergo extensive background checks before they are hired.
3. Multilayered security systems. LIU’s IT department has deployed a number of devices to fight potential cyberattacks, including firewalls, intrusion detection systems, intrusion prevention systems, malware detection appliances, and virus scanners at workstations.
In addition, LIU has implemented strenuous security regulations for users. For instance, users with access to restricted data are unable to install any software or access unauthorized sites—no business office employee can use Facebook, Gmail, or Yahoo Mail from their work computers. For those users, USB ports are disabled. In addition, the system forces password changes every 90 days. Also, users with access to restricted data are severely limited in their ability to access work documents remotely. All remote access must be approved by a vice president, and if a laptop is used, strong encryption is applied to all data.
Users who don’t have access to restricted data have less strenuous, but equally secure guidelines. Faculty members must get approval from academic affairs and information technology before deploying any instructional technology tool. In general, faculty members only have access to course materials, the learning management system, and other sites necessary for their work, and they are instructed to communicate with students only through their MyLIU accounts. They are also required to change passwords frequently.
Ongoing monitoring. LIU also uses an annual third-party penetration analysis of its confidential networks to see if there are any holes that need to be filled. “If you’re aware of your weaknesses, you can manage them,” Baroudi says. “If you’re not aware, you can’t manage what you don’t know. I welcome any penetration test because it makes us stronger.”
Those third-party penetrations provide monitoring systems that show recent attacks, whether they were prevented, and if possible, where they originated. All the ongoing data help LIU leaders continue to refine their cybersecurity plans. LIU also carries cybersecurity breach insurance and utilizes an online incident management system.
Increasingly, cybersecurity is a bottom-line business issue on college and university campuses. And to keep data safe—thereby protecting your institution’s finances, reputation, and competitive advantages—data security must be prioritized by business leaders, and other leaders across campus.
NANCY MANN JACKSON, Huntsville, Ala., covers higher education business issues for Business Officer.