According to a 2023 report from the cybersecurity company SonicWall, the nature of cyber attacks against higher ed appears to have changed and adapted to new security measures in the past few years. While much of the focus has been almost solely on ransomware attacks and data breach incidents — such as the recent MOVEit hack that has affected state and federal agencies and universities around the globe — the SonicWall report said malware attacks at colleges and universities also increased significantly between 2021 and 2022. It added that the threat of phishing attempts has remained, with some organizations battling what feels like a never-ending onslaught of more sophisticated phishing attacks.
Suraj Mohandas, vice president of strategy at Jamf, a software company that makes mobile device management tools, wrote in an email to Government Technology that part of what makes IT security increasingly challenging is the fact that cyber criminals have myriad tactics to exploit vulnerabilities created partly by efforts in recent years to digitize instruction and daily operations. Aside from the exorbitant cost of ransomware attacks against institutions such as Lincoln College, which was forced to close permanently in May 2022, the collection of so much data on digital systems has also exacerbated the cost of cyber incidents for staff and students, practically and financially. Mohandas pointed to a 2021 report from the Center for Digital Education that said data breaches cost each student an average of $250.
Unlike large corporations with more capital to put toward IT security, and government agencies that are often also tasked with providing supplemental funding to K-12 schools for cybersecurity, he said “many universities and colleges may have limited cybersecurity resources and budgets,” which are threatened by enrollment declines across higher ed.
“There have been major changes in the targeting of students and staff through sophisticated emails that mimic the systems used by the university. These emails ask individuals to change their passwords, et cetera. This is a key area of concern due to the increase in password fatigue, which leads to many people handing over their information or clicking on phishing links,” he wrote. “As more staff and students utilize IT tools, the target radius has increased over the years … One key vulnerability is the weakness of university systems, as outdated technology makes it easy for hackers to break through. Increased sophistication is also evident in SQL (structured query language) attacks through a higher education or school website, providing an entry point through online forms used to support users, but exploited by hackers.”
Mohandas said cyber criminals also frequently employ automated tools to launch “credential stuffing” attacks against higher ed institutions, making use of compromised username and password combinations from other breaches to gain unauthorized access to accounts for financial gain or to access research data.
“Weak or reused passwords can make institutions more vulnerable to these attacks,” he said, adding that the recent surge in attacks on higher ed institutions demonstrates a need for cybersecurity awareness campaigns and modernizing IT infrastructure.
Leslie DeCato, interim senior director of information security at California State University’s Chancellor’s Office, wrote in an email that universities should conduct regular vulnerability assessments, update policies for more robust cybersecurity planning and institute multifactor authentication to mitigate the threats posed by the evolution of cyber attacks.
“Developing an incident response plan, fostering collaboration and providing continuous cybersecurity education are also crucial,” she wrote. “Prioritizing these measures helps protect sensitive data, intellectual property and the institution’s reputation.”
Oregon State University CISO David McMorries said the increase in cyber attacks had been unfolding and evolving already before the rapid digitization spurred by remote learning during the pandemic compounded the threat. He said offices across Oregon State have been aggressively targeted with phishing attacks and other fraud schemes, in addition to threats like ransomware.
“The key thing that ties this all together is the financial gain these actors are looking to achieve,” he said.
University of North Carolina at Greensboro CISO Casey Forrest wrote in an email to Government Technology that while the (usually financial) motivations remain the same for most cyber criminals, their tactics have evolved since COVID-19 began. Forrest said bad actors have created malware, ransomware and distributed denial of service (DDoS) attacks that are “progressively more deceptive, more authentic in appearance, and more targeted,” partly due to their financial incentives for targeting higher-ed organizations.
Forrest suggested taking away that incentive for cyber criminals to extort universities.
“Although not an absolute deterrent control, perhaps a policy or regulation to eliminate negotiation with ransomware groups is a worthy consideration,” Forrest wrote. “For example, North Carolina passed the first state law in November 2021 which prohibits all state agencies, the University of North Carolina, cities, counties, local schools and community colleges from payment or communication with ransomware groups. Another impactful suggestion, at an institutional level, would be to require annual information security awareness training for all employees, including their participation in a non-punitive, simulated phishing program — all of which is critically important to provide stakeholders the knowledge and confidence to safeguard their security interests.”