Schaumburg, IL, April 9, 2014: In 2013, HALOCK Security Labs noted information security vulnerabilities at colleges and universities along with numerous hacker challenges that plague these institutions across the United States. More breaches may come to light if higher education institutions do not rethink their cyber security measures.
Just this year, hackers have been successful in gaining access to over 740,000 student and alumni personal information records, including social security numbers, combined. The breaches occurred at University of Maryland on February 19, 2014, Indiana University on February 26, 2014 and North Dakota University on March 6, 2014.
HALOCK Security Labs’ 2013 investigation found that 25% of 162 universities sampled were putting student and parent financial data at risk through the use of unsafe unencrypted email practices. This data included W-2’s and tax information transmitted to financial aid offices. Universities continue to be targeted by hackers because they maintain not only a wealth of student and parent financial data, but they are also centers for cutting edge research and intellectual property.
These recent breaches highlight the reason why universities need to take security seriously and extend their safeguards beyond unsecure email. While HALOCK’s investigation highlighted a certain type of security lapse, the recent breaches underscore that universities need to consider security comprehensively.
Why aren’t schools and universities taking the necessary steps to safeguard sensitive information?
“Universities in general have limited budgets for information security, and therefore struggle to comply with the numerous laws and regulations regarding the data in their custody,” says Terry Kurzynski, Senior Partner at HALOCK.
Universities are overwhelmed by a number of issues:
- Typical university cultures promote open access to information: A core requirement for information security is the classification of information and systems. And because colleges and universities are quasi-public places, they must separate their public network zones from their sensitive network zones and ensure that each are secured according to their risk.
- Transient and inexperienced student workers: After colleges and universities have separated their sensitive systems from their public systems, they can assign student employees with jobs that manage the public systems, leaving sensitive information in the control of properly trained and vetted permanent employees.
- Limited security and compliance budgets: While colleges and universities have lower budgets than some organizations, no organization has enough budget to address all of their security needs. All organizations must prioritize their investments using the risk assessments that are required by law.
- Student hackers have ample time to target the university that is teaching them hacking skills: Especially for colleges and universities that provide information security courses, academic networks can become the “lab” for course homework … in other words, when you teach information security, expect your students to hack your network for practice. Ensure that those who teach the courses collaborate with IT personnel to detect and prevent the activities that are being taught in the classroom.
- Information technology changes are often limited to seasonal university breaks: Major cyber security patches, upgrades, and security tool implementations are often held off until inter-semester periods when the risk of unavailable systems is lower. But this also means that the security risk is at its highest when class is in session. Proper change management processes can reduce your availability risks while making timely security upgrades.
- Difficulty in educating the Board of Trustees or Regents on security risks: A well-constructed risk assessment will define risks, in part, by their impact to the mission of the institution. Impacts to students, faculty, research funding and the school’s reputation and finances should all be considered as factors in risk assessments. A risk statement that reads, “A breach of PHI records from the research database, which foreseeably could happen over the next year, would result in major fines and would compromise our ability to get IRB approval for future research, as occurred at XYZ University Hospital last year,” is far more compelling argument than, “Please can we buy the two-factor authentication appliance? It could prevent a breach!”
According to Kurzynski, “Universities need to get serious about securing their environment. They need to be sure that they are following cyber security standards, as well as the laws and regulations that require the protection of personal information.” Some find this challenging especially when budgets are tight.
Universities that implement a risk management framework often find it easier to reach compliance. “Under this framework, organizations invest in security so that they manage the likelihood and impact of breaches,” says Kurzynski. “Securing information according to risk becomes much more manageable than might have previously been imagined.”
About HALOCK www.halock.com:
Founded in 1996, HALOCK Security Labs is a cyber security services firm that strives to balance both business needs and information security requirements. HALOCK’s philosophy of “Purpose Driven Security” focuses on defining and implementing just the right amount of security; not too much, not too little. HALOCK’s services include: Cyber Security and Risk Management, Compliance Validation, Penetration Testing, Incident Response Readiness, Security Organization Development, and Malware Defense Strategy & Solutions.
I can certainly relate to this article from my own personal experience working at the university. The facts highlighted above represent some of the challenges universities face with regards to Information Security and it really resonates with my personal experience working at the university in Info. Sec.
It brings back old memories and I think its worth sharing this with Info Sec admins at a university.
Was a University report published or was this article the only findings published?
If a University report was published, can I get an electronic copy?
Thank you for considering my request.
There is no paper published, it was a recent investigation we did that you can read here.
Higher Education is a Prime Target for Security Breaches