Cybersecurity in Higher Education: Don't Let the Hackers Win

At the beginning of the 2021 fall semester, two American community colleges had to close due to cyberattacks. In June 2022, the IT system of a university in Italy was held ransom for $4.5 million. In May 2023, a ransomware group used a vulnerability in the MOVEit app to breach hundreds of organizations, including higher education institutions. These events, and others like them, underscore why the 2024 EDUCAUSE Top 10 listed "Cybersecurity as a Core Competency" as the number one factor in the drive to develop institutional resilience.^Footnote1

In today's climate, higher education CISOs and CIOs around the world have a right to be concerned. Education is the number one target of hackers globally, with nearly 2,300 attacks per week. The education sector has been identified as having the highest vulnerabilities and the lowest readiness in terms of identifying and remediating threats. Additionally, this sector is rumored to be willing and able to pay ransoms to recoup student data, research, systems availability, and more. The average price of those ransoms is $3.65 million.^Footnote2

All of that would be crippling if there were nothing that could be done about it. But there is. The CIS Benchmarks provide organizations with a roadmap that has proven to be effective against cyberattacks. This article provides a key tip for implementing CIS Benchmark security under tight budgets and timelines.

CIS Benchmarks: A Right-Sized Approach for Baseline Security in Higher Education

The CIS Benchmarks were developed by the Center for Internet Security, a nonprofit consortium of cybersecurity experts and leaders who have assembled global best practices for establishing and maintaining baseline security and maturity. The Benchmarks cover over one hundred configuration guidelines for more than twenty-five vendor product families commonly found in higher education. One of the advantages of the CIS Benchmarks is that they map to other compliance guidelines like the Security Technical Implementation Guides (STIGs) and those from the National Institute of Standards and Technology (NIST).

While the STIGs and NIST standards tend to be more broad-based approaches, the CIS Benchmarks have emerged as the right-sized approach for the education sector, taking into consideration ease and speed of implementation, cost to implement, and effectiveness. In addition to offering a pathway to help organizations achieve Cybersecurity Maturity Model Certification (CMMC), the CIS Benchmarks provide a solid basis for implementing a Zero Trust approach at your organization.

Cybersecurity Maturity: Why It's More Difficult—and Frustrating—in Education

There are many reasons why data breaches, phishing, ransomware, denial of service attacks, and even online course invasions and social media defacement are so successful in higher education. But the primary reason is because they work. The personal data institutions hold, the sensitive research they house, and the speed at which institutions make decisions make them big, juicy sitting ducks. And when hackers hold a college or university's data for ransom, the institution will pay big money to get back to business as usual. Even worse, breaches cost more than just money. They cost an organization trust, reputation, innovation, time, and system availability—not to mention putting the misfortune of the college or university in the mouths of newscasters across the country.

The following six factors add to the difficulty technology leaders face in thwarting these types of threats by creating a baseline security solution in academia:

• Resource shortages. The money and staffing needed to establish and maintain a mature cybersecurity posture are lacking.
• Cultural resistance to change. Higher education is renowned for a slow pace when it comes to transformation.
• Employee compliance. Getting users, faculty, and staff to follow safety protocols is challenging. In fact, 30 percent of users in the education sector have fallen for phishing scams. That number is TWICE the rate of the population at large.^Footnote3
• Complex IT environments. From legacy systems and decentralized infrastructures to remote users and supply chain access, higher education networks are more vulnerable and difficult to protect.
• Lack of awareness. CIS Benchmarks and endpoint security are relatively new to higher education and can be challenging to understand, creating hurdles to action.
• Lack of capacity. Where do you even start with something like this? The overwhelming amount of work can result in months and even years ticking by with no action.

All of these factors stand between a technology leader and a successful transformation. As a result, this initiative needs to be socialized at every level of the institution before, during, and after implementation. Everyone needs a clear vision of what is at stake, from data theft to ransoms. Students, faculty, and staff need to know how their access will change—with more password protection and high-risk application capabilities turned off. The case needs to be made for a bigger budget using the proof points stakeholders value most. And leadership needs to know that cybersecurity maturation has evolved from "nice to have" to DEFCON 2.

CIS Benchmarks Needs Assessment: 10 Questions to Ask

Many hallmarks of colleges and universities make them especially vulnerable to attack. Because the CIS Benchmarks can be used to harden cloud platforms and services, databases, software, mobile devices, network devices, and operating systems, they can address these areas of vulnerability and secure the technology and data that you, as a technology leader, are responsible for protecting. How many of the following questions can you say yes to? If you say yes to seven of them (many will say yes to all of them), your institution is already operating on borrowed time with its current cybersecurity measures:

1. Do you maintain legacy systems?

   Because colleges and universities were early adopters of the internet and other technologies, they often rely on legacy systems built in less sophisticated times. Hackers look for legacy systems because they are vulnerable to current and continually evolving threats.

2. Are you also an early adopter?

   The higher education sector tends to be open to trying new ways to engage students, conduct research, and improve accessibility. However, these solutions are usually untested and may be open to vulnerabilities.

3. Do your systems hold personal data?

   From full names and birthdays to social security numbers, colleges and universities have student, faculty, staff, alumni, and vendor data that hackers are hungry to steal and exploit. Even worse, they can steal it and hold it for ransom.

4. Is the cybersecurity budget at your institution lacking?

   Educational institutions are often forced to work under tight budgets, and resources tend to go to high-earning and high-profile initiatives like athletics and research. This leaves IT teams with few tools and even fewer hands to protect against cyberattacks.

5. Does your institution offer remote learning?

   The rapid transition to online learning during the COVID-19 pandemic created exponentially more doors for hackers to infiltrate. An array of software programs and unvetted apps were downloaded on remote devices to enhance learning. As a result, colleges and universities unwittingly opened their systems to countless attack vectors.

6. Does your institution conduct research?

   Espionage is a significant threat among colleges and universities that are centers for research and hold valuable information. While a phishing attack may be opportunistic, an attack on an institution's intellectual property will likely be fully intentional, targeted, and over before anyone realizes it has even happened.

7. Is your IT network decentralized?

   Colleges and universities usually have decentralized systems because, for example, it makes sense for the biology and literature departments to have distinct systems. They have distinct needs. But decentralized systems often result in piecemeal setups with clear vulnerabilities.

8. Does your institutional website have a .edu domain name and issue .edu email addresses?

   Your .edu website and email address are big Bat-Signals for hackers who like to phish. High-value .edu email addresses are often published online, making institutional leaders easy to find. In some cases, bad actors can get their own .edu email address simply by filling out a new student application on a college or university's website, and once they have that email address, they look legit. So, depending on how good their phish is, institutional users are likely to fall for the scam. The relative ease of obtaining a legitimate email address is why 90 percent of academic breaches begin with an email attack.^Footnote4

9. Do you have trouble finding qualified cybersecurity professionals for your team?

   There is a severe shortage of qualified cybersecurity professionals, which will last for the foreseeable future.^Footnote5 If you are working shorthanded now—and most colleges and universities are stretched thin—that means you don't have much spare time to implement security protocols. And, if you intend to align with the CIS Benchmarks, you won't be able to implement your solution until you either hire additional team members or automate compliance.

10. Are parts of your system accessible to students, faculty, suppliers, and others?

    The more people who have access to your system, the more people who can be phished or otherwise used to hack into the system.

Implementing the CIS Benchmarks: You Can't Go It Alone

With FY 2025 budgeting on the horizon, 2024 is a critical year to commit to higher levels of cybersecurity. It's a simple matter of how much an institution wants to pay hackers versus how much it wants to protect its data. But whether your institution implements the CIS Benchmarks, the NIST data security standards, or some other standard, you'll run up against the same dilemma—you can't go it alone. You're already stretched too thin, and manual implementation is A LOT of work.

Automation simplifies implementation and maintenance, eliminates human error, provides greater situational awareness, reduces the burden, improves effectiveness, and relieves the headache of establishing and maintaining modern cybersecurity practices—at a lower cost than hiring additional employees. Unless your team has nothing to do all day, automation is the only way to mature your cybersecurity program to world-class status with the people you already have.

SteelCloud's ConfigOS automation software reduces 90 percent of the effort and 70 percent of the cost of manual implementation, removing weeks, and in some cases months, from your implementation timeline. SteelCloud is an established leader in automating the CIS Benchmarks and has been proven in higher education. If budget constraints limit what you are able to do, automation is the way to get ironclad security amid resource shortages and cultural resistance to rapid change. To read more about the CIS Benchmarks and where automation can help, download the CIS Benchmarks Compliance Success Guide.

Notes

1. Natalie Schwartz, "2 Community Colleges Start the Week Closed to Recover from Cyberattacks," Higher Ed Dive, November 29, 2021; Mihir Bagwe, "BlackCat Attacks University of Pisa, Demands $4.5M Ransom," BankInfoSecurity (website), June 14, 2022; Lauren Coffey, "MOVEit Attack Signals Growing Cybersecurity Threats for Higher Ed," Inside Higher Ed, July 27, 2023; Susan Grajek and the 2023–2024 EDUCAUSE Top 10 Panel, "2024 EDUCAUSE Top 10: Institutional Resilience," EDUCAUSE Review, October 16, 2023. Jump back to footnote 1 in the text.↩
2. Daniela Itro, "8 Considerations When Establishing Cybersecurity in Higher Education," EDUCAUSE Review, October 30, 2023; Cost of Data Breach Report 2023, research report, (New York, NY: IBM, 2023). Jump back to footnote 2 in the text.↩
3. Stephen Moramarco, "Phishing Attacks in the Education Industry," Infosec (website), September 27, 2017. Jump back to footnote 3 in the text.↩
4. Joel Witts, "Email Security for Higher Education: How Can Universities and Colleges Protect Staff and Students from Threats?" Expert Insights (website), September 23, 2022. Jump back to footnote 4 in the text.↩
5. ISC2 Cybersecurity Workforce Study: How the Economy, Skills Gap and Artificial Intelligence are Challenging the Global Cybersecurity Workforce, research report (Alexandria, VA: ISC2, 2023). Jump back to footnote 5 in the text.↩