Developing a cybersecurity strategy for higher education institutions

With its vast network of personal information, research findings, and intellectual property, the education sector faces the challenge of protecting valuable data against diverse threats. In recent years, academic institutions have significantly become the prime targets of cyberattacks. According to the 2023 SonicWall Cyber Threat Report, the education sector ranks first among the top five industries with the highest volume of malware attacks, with attacks targeting higher education customers rising to 26% and attacks targeting K-12 institutions skyrocketing at 323% by the end of 2022. The report also reveals that:

• The U.S. Department of Education ranks second under the top data breaches of 2022, impacting 820,000 student records.
• Ransomware attacks in the education sector spiked to 275%, with the biggest attack in 2022 directed at the Los Angeles Unified School District (LAUSD), the second largest school system in the US, which resulted in the public release of 500GB of stolen data including Social Security numbers, bank account information, W-9 forms, and sensitive student health information.

As educational institutions navigate operating in more integrated and technology-dependent environments due to increasing digitization, they need to establish reliable security measures to ensure a secure academic environment for students, faculty, and other stakeholders. Let’s explore the significance of cybersecurity in the higher education setting and how colleges and universities can develop a robust cybersecurity strategy:

The vulnerability of higher education

The Cyber Security Breaches Survey 2023 by the UK government’s Department for Science, Innovation, and Technology (DSIT) found that higher education institutions are more likely to suffer cyberattacks and are more affected than primary and secondary schools and further education colleges, with 50% of higher education institutions experiencing breaches or attacks at least weekly and 61% experiencing a negative impact such as data or financial loss. This vulnerability of higher education institutions can be attributed to several factors:

Unrestricted access. Compared to other industries, the education sector maintains a culture of academic freedom and collaboration, facilitating information sharing across networks. This degree of openness and transparency is often exploited by cyber attackers, allowing them to infiltrate systems without detection. 

Wider attack surface. From the use of personal devices and applications to connecting to campus networks and accessing academic records, educational institutions have a hard time controlling various academic-related activities and securing multiple entry points for potential attacks. Moreover, the diverse users and departments within an academic environment create complex and decentralized IT systems, exacerbating cybersecurity vulnerabilities.

Limited resources. According to the 2022 K-12 Report by the Center for Internet Security (CIS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the average K-12 school in the US spends less than 8% of its IT budget on cybersecurity, with one in five schools allotting less than 1%. Given that today’s educational system already struggles to finance equipment, staff, and infrastructure to improve the quality of education, the lack of a budget for cybersecurity implementation makes higher education institutions an easy target for threat actors.

The critical role of cybersecurity

Educational institutions are a gold mine of confidential information, which presents a lucrative opportunity for cybercriminals. As digital interactions become more prevalent in modern education, academic institutions need to prioritize incorporating cybersecurity in all facets of their operations. Cybersecurity involves tools and practices for detecting, preventing, and mitigating the impact of cyberattacks on devices, networks, systems, and data. Developing a cybersecurity plan offers many benefits for higher education institutions:

• Safeguarding sensitive data: A cybersecurity plan helps safeguard sensitive data such as student records, financial information, and research data from unauthorized access, theft, or manipulation.
• Promoting compliance with regulations: A cybersecurity plan ensures compliance with regulations such as the Family Educational Rights and Privacy Act (FERPA), which provides educational institutions with requirements for upholding student data privacy.
• Addressing risks and vulnerabilities: Developing a cybersecurity plan enables academic institutions to identify and address specific risks and vulnerabilities that can impact their data, systems, and operations.
• Ensuring business continuity: Cybersecurity implementation can prevent cyberattacks like ransomware from harming essential operations and help institutions maintain critical functions amidst disruptions.
• Preserving institutional reputation: Having robust security measures in place enables institutions to avoid security incidents that can damage their reputation and enhance trust in their capability to protect students, faculty, and stakeholders.

Establishing a cybersecurity strategy

To create an effective cybersecurity plan, you must first identify and organize your assets and then determine what your vulnerabilities and risks are so you can prioritize and manage them. Here are a few best practices that higher education institutions can adopt:

1. Implement a cybersecurity framework – Higher education institutions can utilize frameworks such as the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) to guide their cybersecurity strategy. Implemented by distinguished institutions like the University of Chicago, the University of Florida, and the University of Pittsburgh, NIST CSF provides guidelines for managing cybersecurity risks as well as resources related to the academia discipline. It has 6 functions: Govern, Identify, Protect, Detect, Respond, and Recover which can help institutions establish risk management procedures, security controls, and incident detection, response, and mitigation strategies.
2. Assess risks regularly – Risk assessment involves evaluating the likelihood and impact of risks relevant to your institution and taking actionable steps to eliminate or reduce them. Conducting a risk assessment also involves recording your findings and reviewing and updating assessments regularly to ensure that identified risks and current risk management processes remain applicable to your institution.
3. Establish cybersecurity policies and controls – Security policies define the rules and practices set by your institution for safeguarding data while controls are security measures you put in place to avoid or minimize security risks. Enforcing policies such as email filtering, frequent system backups, and incident reporting and response protocols, as well as implementing robust security controls like Multi-Factor Authentication (MFA), access control, patch management, data encryption, and network segmentation allow your institution to effectively manage risks and protect data. The effectiveness of security controls must also be tested, evaluated, and monitored consistently.
4. Perform security assessments and audits – Routine examination and review of your policies, controls, and procedures through internal audits and assessments allow you to validate the overall effectiveness of your cybersecurity program as well as your institution’s compliance with legal and regulatory requirements. Performing assessments also enables you to identify new vulnerabilities and opportunities and continuously improve systems and technologies in line with evolving threats.
5. Conduct security training – Lastly, colleges and universities must foster a culture of security awareness and preparedness across their institutions. This entails communicating security policies to all employees, requiring comprehensive training for end users on system usage and security protocols, and educating both students and faculty on recognizing common social engineering attacks like phishing and equipping them with the necessary skills to safeguard their information.

6clicks: The solution for cybersecurity in higher education

6clicks can help higher education institutions build and implement a holistic cybersecurity strategy through its comprehensive IT Risk Management and Security Compliance solutions.

6clicks supports various security frameworks like NIST CSF and provides control sets and audit and assessment templates to facilitate your compliance.

Empower your institution with our robust cyber risk management capabilities. Store, organize, and manage your risks, streamline risk assessments, and create and track risk treatment plans using our powerful risk register and custom workflows.

Then, create, manage, and share internal policies and controls with key personnel, assign responsibilities and control tasks, and automate control testing through our Policy & Control Management features. Meanwhile, enhance information security with 6clicks’ Asset Management, Vulnerability Management, and Issues & Incident Management capabilities.

Finally, accelerate your institution’s audits and assessments using our question-based or requirements-based assessment questionnaires, one-click report generation tool, as well as our AI engine Hailey that automatically creates assessment responses based on previous data.

Achieve cyber resilience with 6clicks

Learn how 6clicks’ integrated, AI-powered cyber risk and compliance management platform can help your institution stay ahead of threats and ensure robust protection for your valuable data. Talk to our experts by clicking below: