Higher Education Faces Growing Security Challenge With Low Budgets, Cultural Barriers

While not on the scale of recent megabreaches in the retail or health-care industries, security experts say that the higher education market is facing big challenges when it comes to cybersecurity, leading it to be one of the lowest-performing verticals in the market when it comes to breach protection.

In the most recent example, Harvard University said last week that it had been hit by a breach that affected as many as eight schools and administrative offices. The intrusion started in the Cambridge, Mass., university's Faculty of Arts and Sciences (FAS) and Central Administration, and it remains unclear what information was accessed by the hackers, though the university warned that school logins may have been compromised.

The eight breaches so far this year in education have compromised a total of more than 20,000 records, though five of the breaches had an unknown impact, according to the Privacy Rights Clearinghouse. Last year, there were 28 known education breaches, totaling more than 1 million compromised records.

[Related: VARs Are Moving Aggressively To Capitalize On Education Market Boom]

Sponsored post

In an analysis last week of industry security performance by security ratings company BitSight, the education sector landed dead last, with a score of 550 out of a possible range of 250 to 900. That compares with 620 for health care, 630 for utilities, 670 for retail and 710 for finance. That position isn't new for the education market, BitSight Chief Technology Officer and co-founder Stephen Boyer told CRN.

"Higher education has been the lowest-performing sector as long as we have been measuring it," Boyer said. "The thing that was pretty scary is that higher education is below retail and health care, which have [both] had major breaches."

Rajiv Motwani, director of security research at Websense Security Labs, said he is seeing the same trend.

"The education sector, while we do hear of breaches here and there, is only now becoming the focus," Motwani said.

The reason higher education has remained out of the headlines is that the breaches tend to be smaller in scale, around 10,000 records or so, compared with the millions of records involved in recent high-profile health-care and retail megabreaches, Boyer said.

Driving the challenge for the higher education market are tighter security budgets compared with other industries, a lack of central control and a typically open environment with a high prevalence of bring-your-own-device, Boyer said. Those challenges, combined with a vast amount of intellectual property, connections to other organizations and student information make the market opportune for attackers, he said.

"I think it's one of the challenges that higher education is going to face," Boyer said. "They have a lot of intellectual property that would be nice for others to have, and their systems aren't very well protected. I think we're going to continue to see these types of breaches."

Another large challenge for the education sector in security is the culture, said Robert Desman, director of business development at Atlanta-based Carceron Managed IT Services.

"There's always been something sacred in academia in terms of openness, the exchange of ideas and freedom of thought," Desman said. "Culturally, that's not one of those things that's security-conscious."

"More than any single thing, it's a cultural issue, and we're still in the infancy of where the institutions are in terms of being security-conscious. They'll go ahead and build up their police forces if they have a lot of incidents, but it's always a case of closing the barn door after the horses have gotten out," he continued.

The only way to overcome the cultural security barrier is training and education of both students and faculty around best practices, Desman said.

"The first place to start is making people simply more aware of how at risk they are," Desman said.

A large part of that training includes shifting browsing behavior, Websense's Motwani said. In a recent Websense survey, the company's researchers found that the education sector is twice as likely to visit malicious websites, twice as likely to be impacted by spyware and adware, and 20 times more likely to be impacted by black hat SEO.

"Given the nature of browsing and given what they are doing, it's easy for the attacker to go down the kill chain because the users are helping them," Motwani said.

As higher education pivots to focus more on security, BitSight's Boyer recommended implementing best practices that have proven successful in other verticals such as finance. Those best practices include executive sponsorship at the highest level, a focus on areas with the highest risk and vigilant monitoring. Desman added regular system audits and training to that list, and Motwani added segmenting risky users and keeping infrastructure up to date.