For two years Chinese hackers had unfettered access to computers used for specialized aerospace engineering research in a lab that works mainly for the Pentagon, as well as at a site that develops technology for the U.S. Navy.
But it wasn’t a defense contracting firm hackers were targeting. It was Penn State University, one of many institutions of higher learning in America that have been compromised in cyber attacks in what’s become a growing trend.
Higher education ranks third in the sectors targeted by hackers with 10 percent of all data breaches now occurring at colleges and universities, according to Symantec’s 2014 Internet Security Threat Report.
That puts higher education behind only health care at 37 percent and retail at 11 percent for targets of cyber thieves. Higher education is also ahead of sectors that include insurance, government and public and financial.
Colleges and universities that have been hacked recently include Harvard, Washington State University, the University of Maryland, the University of Virginia and Johns Hopkins University. Since 2006, more than 550 universities have been targeted, according to NBC News.
Universities are prime targets for cyber attacks for several reasons. For one thing, they are research institutions with sensitive and cutting-edge data that’s often relatively easy to access for cyber thieves. They also are repositories of student identification details such as social security numbers, birthdates and other data, including credit card and other financial information.
Because colleges have such a mobile population and with students packing their own laptops, it makes them an easy target and one with a high probability of success.
The proper response
Compliance standards provide industry baselines for security protocols, which many universities are not even close to following. PCI (payment card industry), NIST (National Institute of Standards and Technology) and others will help them prioritize their most sensitive data and will provide best practices for securing that information.
More importantly, third-party audits against industry security compliance standards can identify significant shortcomings in specific areas of their cyber security posture and help prioritize resources to secure that data.
Insurance is becoming more important to cover losses and remediation actions after a breach, including forensics, legal intervention and crisis communications. And they’re looking beyond the commercial off-the-shelf policies offered by large carriers. More and more institutions of higher learning are borrowing the strategy of Fortune 500 firms and large healthcare organizations by starting to adopt self-insurance, or “captives,” to cover catastrophic losses.
Having the right response plan in place can make all the difference, especially in a risk environment where successful response can be measured in minutes, not weeks. This level of attention is starting to reach senior advisory boards and is no longer in the hands of technology offices, but is shifting to risk managers and chief executives. That trend needs to continue.
Although they are a few years behind their private sector peers, colleges and universities are finally starting to take this threat seriously from a holistic risk management perspective and not just throwing money at the IT department to buy the next greatest “cyber security tool.” We’ll see if this trend continues.