All computer users are at risk of downloading malware or computer viruses. The malicious software is sent out in bulk mail, and everyone will receive an infected email attachment or a link to a malicious website at some point. Often on a daily basis. However, individuals are not typically targeted by cybercriminals. Attacks on individuals are usually random. Business on the other hand are being targeted, and there have been an increasing number of cyberattacks on universities and other higher education institutions in recent months.
Successful cyberattacks on universities can allow criminals to steal highly valuable data. Those data can be sold on the black market to identity thieves and fraudsters for big money.
Cyberattacks on universities and educational institutions are a growing cause for concern
The reason for the cyberattacks on universities are: A) Universities store a lot of student data; B) They often store Social Security numbers which are very valuable to identity thieves; C) They use tools to facilitate collaboration, which makes attacks easier to pull off; and D) Students and professors tend to use a much wider range of software than a typical business – The more software systems are used; the higher the risk of vulnerabilities existing that can be exploited.
After a number of successful cyberattacks on universities, higher education institutions have been forced to improve defenses. They have had to re-evaluate the way they are configuring their networks and implement new policies covering Internet usage and data security.
One of the main problems is the range of software used by universities and the tools that must be offered to students to allow them to learn, collaborate, and conduct research. University networks are also highly complicated and particularly difficult to manage. It is therefore easy for security vulnerabilities to be missed.
This year, major attacks have been suffered by a number of universities in the United States, and there are still 4 months left of the year. More will undoubtedly be suffered before the year is out.
One of the biggest was suffered by the University of Maryland in February. Hackers were able to steal the data of 300,000 individuals, including their full names, dates of birth, and Social Security numbers: The three data elements that are required to commit identity theft with ease.
A data breach of a similar scale was suffered by North Dakota University. In this case, hackers gained access to a server in October, 2013, although it took four months for the data breach to be discovered. Approximately 290,000 records were obtained by a hacker in that cyberattack.
How are cyberattacks on universities conducted?
News that hackers are increasingly targeting universities is no surprise. Cyberattacks on universities have been occurring for years. In the majority of cases, those attacks are thwarted, but cybercriminals are getting sneaky and a lot better at sidestepping security defenses. Many attacks are now starting with spear phishing campaigns. Individuals are researched and cunning schemes developed to convince them to open malware-infected email attachments or visit malicious websites that steal their login credentials.
The cyberattack on North Dakota University is understood to have involved a spear phishing element. Interestingly, three IT professionals were placed on administrative leave last month. They were part of the team responsible for Internet security. According to an internal investigation, the employees “didn’t think server security was part of their job.” IT managers take note!
The cost of mitigating risk after cyberattacks on universities is considerable
The Ponemon Institute has calculated the cost of cyberattacks on universities, and estimates the cost of mitigation following a successful attack to be $111 per record. Why is the cost so high? Teams of forensic investigators have to analyze servers and entire networks to determine which data were accessed and who has been affected. The investigations are painstaking and take weeks to conduct.
Since Social Security numbers and other highly sensitive data are obtained in many of the attacks, credit monitoring services must be offered to the victims, along with identity theft resolution services. All individuals must be mailed a breach notification letter. The cost of mailing the letters alone can be considerable. Then there are class-action lawsuits filed by the breach victims. They often seek $1,000 per head in damages.
The Maricopa County Community College District data breach was estimated to have cost $17.1 million, and that doesn’t include the cost of class-action lawsuits. The University of Maryland data breach will similarly cost millions to resolve. Then there is the damage caused to a university’s reputation. It is difficult to determine what effect such a massive data breach will have in that regard.
Considering the cost of resolution, it is perhaps understandable that cyberattacks on universities are not always published. Some security experts have estimated that only half of successful attacks are actually reported.
When you consider the astronomical cost of data breach resolution, the cost of implementing cybersecurity defenses does not seem so high.