Colleges and universities offer a treasure trove of personal and commercially useful information that clearly appeals to cybercriminals, but the risk management approach to securing sensitive data relating to students, faculty, and alumni–or research that could lead to the next big scientific or technological discovery–must recognize the open environment unique to academia and work with it rather than against it in order to succeed.
This week began with reports of a distributed denial of service (DDoS) attack against New Jersey’s Rutgers University. It the third such attack since November, according to the school’s newspaper. Advisen data show that Indiana University, University of Maryland, and Johns Hopkins have all been hit by security breaches. A recent study from SysCloud, a security solutions firm, found that 35 percent of all data breaches occur in the higher education sector at an average rate of one breach per week – but those breaches involve far fewer records than the headline-grabbing experiences of Home Depot, Target, and Anthem.
“We are the target of malicious activity from a wide variety of sources,” said Quinn Shamblin, executive director of information technology and information security officer at Boston University. “Universities have to think about it in the same way that their corporate counterparts would. And they are starting to do that.”
Low Performance
According to Stephen Boyer, CTO and co-founder of BitSight, higher education has been and continues to be one of the lowest performing sectors when ranking cybersecurity success. BitSight functions much like a credit bureau or rating agency, evaluating organizations on their effectiveness in securing their networks – and colleges simply aren’t making the grade.
An August 2014 study from the firm found that when addressing security challenges, higher education had ranked “considerably below” the retail and healthcare sector in preparing for and preventing security breaches.
Following BitSight’s study, several schools contacted the company for insight and assistance, Boyer said.
“They earnestly want to improve,” he said. “They recognize their unique challenges, they understand they’re a huge target and they can’t ignore it anymore. The tide is definitely changing.”
As BitSight points out, universities must comply with an alphabet parade of regulations – HIPAA, FERPA, Gramm-Leach-Bliley, FISMA, PCI-DSS and more. In addition, they may not have the budget that a for-profit business might have to dedicate to security.
Boyer noted that there are ways colleges can compete not just on the basketball courts, but in cyberspace. Schools that hired a dedicated information security officer performed better across the board.
“We see that it gets good results,” he said. “They say it’s just a matter of time before you’re hacked. Our contention is, actually, no, there are deliberate steps you can take.”
According to BU’s Shamblin, the academic culture presents a challenge for cybersecurity professionals. Installing a firewall or halting traffic to some of the more suspect spaces on the Internet isn’t considered an option even – or perhaps especially — in the name of privacy and protection. In fact, it hews quite closely to feeling like censorship of legitimate areas of study.
“We cannot do anything even remotely like that in higher ed, because there are legitimate reasons to go almost anywhere,” he said. “I could never do that and shouldn’t even say that, because they’re going to lose trust for us instantly.”
Shamblin added, “It is actually a key and very important fact that universities must be left to be bastions of free expression and free thought. The entire point of the system is to allow people to push boundaries of science and philosophy.”
This leads to “a culture of push-back against things that look like control, or Big Brother, or ‘the man,’” Shamblin said, adding, “anything that smacks of that is something that universities are going to look at very closely before agreeing to deploy.”
Instead, the necessary conversation involves helping colleges and universities to understand their risks, the data they hold, and the best ways to safeguard it.
John Christly, chief information security officer at Nova Southeastern University in Florida, told Advisen that reaching out to academic stakeholders is key. Nova Southeastern is a private, nonprofit academic medical center, training medical professionals and maintaining all the associated data with doing so.
“We have a lot of data within these walls,” he said. “We understand the trust people put in us to be good stewards of that data.”
Although higher ed has always been based upon open access to information, “obviously, that has to change,” Christly said, emphasizing the need to compromise on the parts of both information security professionals and academics.
“It’s about communication and knowing the business,” he said. “You have to get out from your desk and talk to researchers, professors, your ‘customers.’ It’s got to be a two-way conversation. And then ask them, ‘what would you like me to do for you?’ Nobody wants to be the subject of a breach.”
According to both Shamblin and Christly, a “judgment-free” approach to securing school networks functions best. Shamblin recommend intrusion prevention systems that alert users to the risks of visiting websites known to be malicious and employing a global threat intelligence system that automatically updates and watches for known threats.
“I don’t care what you’re going to look at. I care that your system’s going to get infected,” he said. “We deploy technology that can help your constituents understand, but where they still have control and still have choice.”
Shamblin said university risk officers and other stakeholders have become more aware of what the information security world can do for them, but it has been a long road and one requiring some interesting explanations.
“I teach Defense against Dark Arts, that’s what I do,” he said, likening the fight against the hackers to the battle against evil wizards in the Harry Potter universe.
Those dark arts have increased in importance to federal law enforcement officials in recent years, particularly in the higher ed field, which can find itself prey to malicious insiders. Shamblin cited worries over “student spies,” enlisted by other countries to stealthily access sensitive, frequently government-funded research in the nation’s university system. The FBI issued a white paper expressing concern over exploitation of student visas to steal intellectual property for misuse and highlighting red flags schools should know.
“Knowledge and information are valuable assets and are an integral part of university activities, but not all campus information is for public consumption. Individuals and organizations that want to obtain innovative or restricted information may have ulterior motives and may misrepresent themselves and their intentions in order to gain access to restricted information, or they may outright steal it,” the FBI asserted in its paper.
Risky to Underwrite
The insurance industry speaks of higher education in the same breath as other high-risk sectors for pricing and placing cyber coverage, as evidenced by a recent report from Arthur J. Gallagher.
“This is because these industries are incurring the most frequent attacks and, not surprisingly, also have the most records. For these industries, a select few markets are available to offer primary insurance options,” stated Adam Cottini, managing director and area senior vice president in Arthur J. Gallagher’s cyber liability practice and author of the report.
Cottini also explained that unencrypted mobile devices – of the sort that daily flood college campuses – are typically being excluded from coverage.
“Unencrypted mobile device exclusions are becoming commonplace. Unless appropriate risk management can be evidenced in lieu of encryption, the exclusion will not be removed and will cause insureds to absorb an exclusion that doesn’t leave room for negligent or malicious actions that are a more common exposure,” he said in the report.
Christly noted that Nova addresses the risk of unsecured mobile devices by limiting their access to the university network.
“You’re going to bring them and we don’t own them,” he said, adding that mobile device users most often want access to email and some school systems. Use requires “ground rules,” he said, commenting, “That’s fine, but you’re going to have to jump through these hoops to get there.”
Christly said his university carries cyber insurance, but advises all stakeholders that it “doesn’t mean it’s a ‘get out of jail free’ card” and won’t cover negligence and some technical risks. Cybersecurity, particularly in higher education, requires more of an investment than buying an insurance policy.
“What I’m finding is, you cannot just insure your risk away,” Christly said. “Even if you can, you probably shouldn’t.”
That said, he noted that the insurance process frequently serves as an “audit,” a way for organizations to look at their policies, training, and ensuring that due diligence has occurred.
“I don’t know many companies that do not, but if they don’t, they’d better get on board,” he said. “If you don’t have it, you’ve got your head in the sand and you’re waiting for a disaster to happen.”
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
