By Elissa Doroff, Underwriting Manager, AXA XL
Cyber attack, espionage, and ransomware aren’t part of the curriculum; they are the threats that colleges and universities face as more sophisticated cyber criminals target higher education. It was something no one saw coming.
In 2002, Yale University’s computer system was hacked. What the hackers accessed: applicant data and acceptance/rejection status information. The confessed hacker: the director of admissions at Princeton University.
While the hack was not traditional in nature (the director used Social Security numbers and birth dates of Princeton applicants who had also applied to Yale to access the system), it was an embarrassing incident for both colleges. It was also the first reported case of cyber espionage.
In a way, the hack proved to be a useful event that helped Yale’s cyber security team tighten their internet security. Unfortunately, not all colleges and universities are that fortunate.
In 2004, three breaches at California universities accounted for 2,000,000 stolen records. And neither time nor increased IT sophistication have staunched the number of attacks; in 2015, 539 breaches involving almost 13 million records were reported in the higher education sector. In fact, by the first half of 2017, data breaches had risen 103 percent over the previous year, with 77 percent of all US universities being unprepared for cyber risk.
Education is expected to remain on the list of the top 10 industries targeted by cyber attack until at least 2022.
Today’s cyber criminals are not only looking for data; they are looking for ransom. New York City-based Monroe College had its computer systems hacked in July 2019, shutting down the college’s website, the email system, and online course access as well as potentially compromising the records of over 8,000 enrolled students. Hackers demanded $2 million in Bitcoin decryption key from Monroe College. In March 2018, well over 300 universities worldwide were victims of an organized cyber attack that compromised 31 terabytes of data.
By March 2019, things had not improved. That month, Oberlin College (Ohio), Grinnell College (Iowa), and Hamilton College (New York) fell victim to cyber attacks that compromised student application data. However, instead of demanding ransom from the colleges, hackers instead demanded one Bitcoin from each student whose records were stolen. They later reduced the ransom demand to $60 per student.
The changing cyber security landscape for colleges
Higher education is no stranger to hacking and intrusion. In fact, what is believed to be the first cyber attack happened at a university back in the 80s. In 1988, Cornell University graduate student Robert Morris launched a computer worm while at MIT to gauge the size of the internet. That attack, known as the Morris Worm, replicated and spread rapidly, causing an estimated $100,000 to 10,000,000 in damages.
Unfortunately, things have not improved. By all accounts, cyber crime targeting higher education is becoming much more sophisticated. However, colleges and universities are not always prepared for such evolution.
Why are colleges and universities easy targets for cyber attacks?
By their very nature, schools operate under an open-access IT environment. Thus, they are challenged with maintaining that environment for students, faculty and staff, thus making them frequent targets for cyber attack. As higher education changes how it operates, using more technology for education, student services, and administration, the cyber risks multiply.
That leaves plenty of data at risk. And the data hackers can access is myriad: employee personal and financial information, student information, parents’ financial information, research data, grades, application data, medical information, and more.
Cyber criminals are changing how they operate, as well. No longer interested in merely compromising records and going through the motions of selling them on the dark web, hackers are now more direct in their approach. The number of ransom demands on colleges have increased significantly in just the last few years, and cyber criminals are rarely single entities, they are now organized groups of hackers using an orchestrated approach to infiltrate as many systems as possible.
How are colleges and universities staying ahead of cyber thieves?
Fortunately, colleges and universities can improve cyber security. We recommend a multi-layered approach that includes:• Risk assessment
• Prevention and response plans
• Regular system updates/offline system backups
• Creating a culture of IT security
• Cyber insurance
At the outset, colleges and universities must understand their risks and prioritize them in order of impact. What information is at highest risk? What systems are most critical? Those are risks that should be monitored regularly.
Also, schools should be grading their data sensitivity – from low to severe – and putting protections around each level according to the severity of the risk. For example, publicly available information would not need protection, whereas personally identifiable information would require encryption and managed, secure storage.
Who has access to such data should also be controlled. By limiting the number of people able to access highly sensitive information, colleges and universities can therefore limit breach potential. Likewise, for unsecured devices, limit what users can access and for how long the devices can access those systems and data.
Prevention and response
Once your institution understands what it is protecting, it should then create or revamp its prevention and response plans. Also, schools should work testing into the prevention plans. A recent test by Clemson University involved sending 100 emails to faculty and staff. While one-fourth of the emails were blocked by the school’s system, over a dozen recipients responded to the phishing scam, and six of the school’s computers were then loaded with malware.
Tests like this allow your institution to see where the vulnerabilities lie and help IT professionals establish better protocols to avoid system breach. Some of those protocols should include:
• Employee/staff education
• Stronger passwords that are changed regularly
• Multi-factor authentication
Once a breach occurs, your institution should have a plan in place for what to do first, whom to call, and which regulatory requirements are triggered by the breach. Having a response plan in place allows your school to respond and recover faster, thus limiting the damage.
System updates and offline backups
Many vulnerabilities can be traced to systems that have not had regular updates and patches applied. Update systems at the first opportunity and stay on top of all subsequent patches and updates.
Backup data is also vulnerable. Today’s hacker compromises not only the systems, but the backups, as well. You can limit the financial impact of a breach by storing all backups offline.
The IT security culture
Probably the largest threat to a college or university’s cyber security is human error. Students click on links. Staff give out passwords. A strong prevention plan needs to include ongoing education about hacking methods and what students and staff should do with potential phishing attempts. Work with your IT department to develop a phishing response policy and an easy way for students, faculty, and staff to report any questionable emails or phone calls.
For any organization that handles sensitive data, cyber insurance is a must. Not only will insurance cover the costs of recovery, but the right insurance policy gives institutions access to computer forensics experts, data breach notification/call center services, expert legal counsel, public relations specialist, and credit and ID monitoring services.
Also, cyber insurance should include the following coverage:
• Privacy & Security Liability
• Data Breach Response and Crisis Management
• Privacy Regulatory Defense Costs and coverage for any fines and penalties assessed. Business Interruption and Extra Expense
• Data Recovery
• Cyber Extortion and Ransomware
An insurance carrier that specializes in cyber liability can help you put together an insurance policy that addresses your school’s most critical vulnerabilities. A specialty carrier can also help your institution uncover potential areas of risk and put protections in place that can reduce your exposures.
As cyber criminals target colleges and universities, organizations should be addressing the gaps in security as well as educating students, faculty, and staff in how to identify and handle breach attempts.
Schools are far too easy marks for cyber criminals, but they don’t have to be. Putting the effort into education, security strategies, and prevention and response planning can help your institution reduce a number of cyber risks it faces. Working with an insurance carrier that specializes in cyber security is a cost-effective way to improve security and keep information safe.
Elissa Doroff is Product Manager for AXA XL’s Cyber & Technology insurance business in North America.