Universities increasingly targeted by cybercriminals

Anthony Di Bello There's certainly been plenty of news around universities whose files have been breached in recent years. In a recent incident at  the University of Tampa, sensitive information was spilled about 30,000 students and employees. Last summer the University of Wisconsin reported finding that it found a server infected with malware stored Social Security numbers and names of 75,000 faculty members and students. A cursory search of the DatalossDB shows that breaches at the University of Virginia, Holy Family University, University of Nebraska, and Stanford, among others, have occurred recently.

Why are university files breached so commonly? There are many reasons. The first may have to do with the culture at most universities. Schools are typically more open with their infrastructure than enterprises, with higher network user turnover, and universities generally promote an environment that is more tolerant of students exploring and pushing boundaries on their network. Finally, universities are more likely than enterprises to be operating under tighter IT budgets, which means that security investment is also going to be tight.

These conditions create an environment that cyber criminals are more likely to view as an easier target.

In addition to being more vulnerable, universities also are shiny targets for attack because they hold a trove of valuable data.

Think about it. Universities possess decades worth of data on students –financial aid and loan information, Social Security numbers, student work history, e-mails, as well as student addresses and possibly even information on their parents. Many universities also hold sensitive health-related information.

A quick look at the DatalossDB shows that university files aren’t only being breached accidentally (through lost drives, web server errors, etc.), they’re actually being targeted by attackers. Of the 10 recent breaches listed in the DatalossDB, seven are due to an attack of one form or another.

Considering the facts, it’s pretty clear that universities aren’t being targeted just because they are perceived to be less secure than enterprises, but also because they have valuable data that can be used for fraud and identity theft.

Yet, when it comes to saving, universities are shortsighted and costing themselves more by cutting security budgets. With nearly every state having a data breach disclosure law, the cost of disclosure is quite high when considering the expense of notification, investigation, mitigation, and potential lawsuits. For instance, the cost of credit monitoring alone can run $15 to $20 per record – and these breaches can involve hundreds, thousands, and even tens of thousands of records per breach.

To cut the risks of data breaches and keep the costs of those that do occur relatively low, universities need to understand wheretheir sensitive data lives, and be able to quickly respond when something goes awry, such as malware infiltrating a server. And they need to make sure that strong incident response procedures are in place. Given budget cutbacks, while there’s also increased dependence on IT systems – and attackers are more active than ever – it’s more important than ever that universities have the tools in place to be able to limit the scope, and thereby the costs, of the breaches they do incur.