To protect their data and their students, educational institutions must implement strong security policies, access controls, and anti-malware solutions and foster a culture of cybersecurity awareness.
The increase in digitalization has fundamentally changed how education is delivered and consumed by students. The demand for online learning has risen in the last few years, leading higher education institutions to shift toward blended learning environments. The availability of remote access and IT support solutions has allowed students, faculty, and staff to connect to educational resources from anywhere via a diverse range of devices, empowering them with greater flexibility in both learning and teaching.
Regardless of industry, however, digital transformation inevitably creates cybersecurity challenges because it expands the attack surface that the organization must oversee. In recent years, colleges and universities have become prime targets for cyber threat actors because of the value and volume of the data they hold and because educational institutions are designed to share information, making them vulnerable to and lucrative for attackers.
The Headwinds Facing Higher Education
Cybersecurity Storm: Protecting Educational Havens
Data breaches have become increasingly common, driven by colossal combo lists that are sold and traded on the dark web and increased reliance on third-party educational service providers, many of which have inadequate security.
While large enterprises may offer more lucrative returns for threat actors, these enterprises generally make sizable investments in cybersecurity protection, making them difficult to hack. By contrast, higher education institutions generally do not invest heavily in cybersecurity and are slow in responding to changing threats. Without budget availability, it's more difficult for educational institutions to fortify their infrastructures against the increasing and evolving threat landscape or compete with commercial businesses to recruit skilled IT talent. These factors have contributed to the success of cyberattacks against educational institutions. Because institutions are designed to share information and favor open access, they are easier targets for attackers.
With a 44 percent increase in cyberattacks since 2022, the education sector ranked as the least secure industry sector. It was also the sector with the highest vulnerabilities and the lowest readiness in identifying and remediating cybersecurity threats.Footnote1
The Impact of Cybersecurity on Education: Evaluating Beyond Monetary Costs
With an average recovery time of forty-nine days, cyberattacks have a tremendous impact on higher education institutions, not only in terms of financial hardship but also in terms of operational disruption and reputational damage.Footnote2
Data breaches can result in substantial financial losses. The average cost of a data breach in the education sector is a staggering $3.65 million.Footnote3 These costs include expenses related to incident response, legal fees, regulatory fines, and reputational damage.
Cyberattacks disrupt the normal operations of educational institutions. Denial-of-service (DoS) attacks can render online learning platforms inaccessible, causing significant disruptions to students' education. Ransomware attacks encrypt critical data, leading to an operational standstill until the ransom is paid or the data is recovered.
The reputational damage caused by data breaches and cyber incidents is immeasurable and hard to recover from, as these breaches compromise an institution's image and erode trust among students, parents, graduates, donors, and partners.
IT Hygiene: Safeguarding the Heartbeat of Education
Good IT hygiene is critical for supporting the cybersecurity initiatives of educational institutions. Likewise, poor cybersecurity practices have far-reaching implications for data privacy, system functionality, and student preparedness. For example, failing to implement regular software updates and patches leaves institutional systems exposed to known vulnerabilities. Sixty percent of vulnerabilities could be averted if security updates or patches had been deployed.Footnote4 Furthermore, poor IT hygiene practices can lead to system performance issues, causing downtime and interruptions to the learning process.
The growing demand on IT teams for help desk support and a general lack of resources or prioritization of teaching, promoting, and enforcing cybersecurity best practices all contribute to poor IT hygiene.
Cultural Change: Addressing Barriers to Cybersecurity
Institutional culture plays a pivotal role in driving the success of cybersecurity policies. Higher education institutions require a multifaceted approach to cybersecurity that addresses technological, organizational, and cultural factors. Leadership support is critical in driving the mind shift necessary to align these elements. This shift in mindset starts with institutional culture.
According to a recent Splashtop survey of IT professionals who work in educational settings, establishing a secure workspace for students and staff is the primary area of interest for educational institutions, with 81 percent of higher education institutions and 64 percent of K–12 schools planning to invest in a cybersecurity strategy during the current academic year.Footnote5 Prioritizing cybersecurity and privacy requires a top-down approach with appropriate monetary and resource investments aimed at embedding cybersecurity and privacy education into the culture of the institution.
Best Practices for Higher Education
Cybersecurity Gains and Hurdles: Securing the Cloud
Cloud solutions that incorporate sophisticated controls and are provided by leading cloud and SaaS providers contribute to a more agile and efficient educational ecosystem. These solutions offer scalability, allowing institutions to adapt to changing needs. Moreover, cloud platforms facilitate collaboration and support activities, fostering a dynamic and interactive learning environment. The move to the cloud reduces demands on in-house IT resources and leads to improvements in cybersecurity. However, educational institutions should carefully vet SaaS vendors and cloud providers, as not all providers share the same philosophy about cybersecurity investment.
Institutions should start by partnering with SaaS providers with certifications such as ISO/IEC 27001, the globally recognized benchmark for information security management systems. Vendors that achieve ISO certification meet the highest standards for risk management, cyber resilience, operational excellence, safeguarding of customer data, and continuous improvement.
Effective Cybersecurity Policies: Shifting Toward Zero Trust
This shift toward effective cybersecurity policies involves creating a culture of awareness and proactive risk management against emerging threats such as more sophisticated ransomware, insider, and student attacks.
The first step to establishing a robust security policy is implementing strong security controls and guidelines for handling sensitive data. These guidelines should also address the use of mobile and internet of things (IoT) devices.
Access control is essential for limiting unauthorized access to sensitive data. Educational institutions should adhere to the principle of least privilege and ensure that individuals only have access to the necessary programs and data for their roles. Institutions should also look into improving authentication, implementing centralized identity, managing third-party access, reducing the use of easy-to-hack passwords, and adding multi-factor or biometric authentication. Zero Trust frameworks—already embraced by governments, standards bodies, and large enterprises—can be especially useful.
A Strategic Approach: Implementing Zero Trust
When implementing a Zero Trust strategy, educational institutions should identify high-risk or high-value areas to pilot Zero Trust capabilities. For instance, a biotech research project with sensitive intellectual property would benefit greatly from a Zero Trust approach. The institution should start by thoroughly understanding the key assets involved in the project, such as research data, devices, applications, and networks. Network micro-segmentation can isolate the research project resources from the rest of the campus network. Detailed monitoring and analytics provide visibility into all access attempts. Starting with enterprise-grade authentication for wireless (and even wired) networks and certificate-based authentication (to replace passwords) will significantly strengthen network security.
Human Firewalls: Building Cyber Resilience in Education
Implementing the cybersecurity measures cited above (as well as additional measures) is not sufficient without also conducting cybersecurity awareness and training programs for students, faculty, and staff. Well-informed individuals are the first line of defense against phishing attacks and other cyber threats. For this reason, institutions need to start integrating cybersecurity awareness into their educational programs. Since 85 percent of data breaches are caused by human error, employees and students must be trained to identify and report phishing emails, create strong passwords, and protect their personal information from unauthorized access.Footnote6
The Secure Path Forward
The higher education cybersecurity landscape is fraught with challenges, but these challenges are not insurmountable. Educational institutions must take proactive measures to protect their data and students by implementing strong security policies, access controls, and anti-malware solutions and fostering a culture of cybersecurity awareness and education. By doing so, institutions can navigate the evolving cybersecurity landscape, ensure the safety of their digital environments, and maintain their reputations.
- Education Sector Experiencing More Than Double Monthly Attacks, Compared to Other Industries, research report, (San Carlos, CA: Check Point Research, August 2022). Jump back to footnote 1 in the text.
- Cybersecurity in Education, research report, (Santa Clara, CA: Intel Corporation). Jump back to footnote 2 in the text.
- Cost of Data Breach Report in 2023, research report, (New York, NY: IBM, 2023). Jump back to footnote 3 in the text.
- Kevin James, "Importance of Cybersecurity in the Education," Cybersecurity for Me (website), September 18, 2023. Jump back to footnote 4 in the text.
- Splashtop Global Edu Survey 2023, research report, (Cupertino, CA: Splashtop, forthcoming). Jump back to footnote 5 in the text.
- Psychology of Human Error, research report, (Boston, MA: Tessian, 2020). Jump back to footnote 6 in the text.
Daniela Itro is Director at Splashtop.
© 2023 Splashtop.