By Lauren Coffey
ybersecurity concerns rippled through higher edâs awareness in 2023, when a data breach hit dozens of institutions across the nation.
Nearly a year later, those breaches are still occurring. MOVEit, a software product used by several universities and related organizations for file transfers, announced Friday that it had found new vulnerabilities that could lead to further security problems.
âSo, no, your guard canât be taken down,â said Shawn Waldman, CEO of Secure Cyber Defense. âOrganizations need to be on the highest alert possible, especially today.â
Higher education institutions are now markedly more prepared than they were last year, according to several cybersecurity experts who have seen institutions invest more time and money into safety measures.
âThe increase in notoriety from these threat groups has really taken over and given administrators something to look at, because [being hacked] hurts your reputation,â said Todd Doss, senior managing director at Guidepost Solutions.
An Inside Higher Ed survey last fall found that 82 percent of CIOs said they were âmoderately,â âveryâ or âextremelyâ confident that their institutionâs cybersecurity practices could prevent ransomware attacksâup from 73 percent in 2022.
That aligns with findings from Moodyâs, a bond rating agency, which found college and university cybersecurity budgets increased more than 70 percent in the last five years.
But money alone may not be enough to ward off the persistentâand growingâthreats. Software company Malwarebytes called 2023 âthe worst ransomware year on record for education,â noting a 70 percent increase in reported attacks.
In August 2023, the University of Michigan had to halt internet services during the first week of classes due to a breach that affected 230,000 students. In September, three decadesâ worth of data was compromised at the University of Minnesota. And Hawaii Community College paid a ransom to hackers after roughly 28,000 individualsâ information was compromised.
Cybersecurity Advice for Higher Ed
To deal with hackers, ransomware and other cyberthreats, there needs to be a systemic change within the university system, said Doug Thompson, chief education architect at Tanium.
âThe biggest problem is the cultural willingness to give up control at institutions,â said Thompson. â[Faculty] are used to the autonomy needed to install applications, but I donât necessarily know who has got it or how to control it. And if you donât know what you have and canât reach it readily, then I donât know what my risk is.â
Thompson recommended a twofold approach: ensuring there is a point person in charge of the entire operation and putting hard deadlines on suggested cyberpractices, like giving 30 days to faculty to update all their applications.
Waldman said there needs to be a plan in place before any spending occurs, involving internal and external assessments to highlight where an institution is seeing gaps.
âWhat ends up happening is maybe thereâs an influx of money, maybe thereâs a grant, and they rush to do X instead of spending on a plan,â he said. âOtherwise when the spending is done, sometimes, unfortunately, itâs on the wrong thing.â
Doss said institutions that do not have ample resourcesâusually smaller colleges and universitiesâcan focus on, at the very least, adopting cloud-based tools if they do not have their own.
âThe smaller universities just donât have the budgets or the staff to man a cyber program that can sustain the levels of attacks,â he said, pointing out that heâs seen students volunteer to run the IT help desk at some institutions.
Students also need to be considered when it comes to their roles in preventing cyberattacks, said Doss, who previously worked as an assistant director for the FBI running its crime lab division.
âIt should be âSee something, say something,â but you have to give [students] a means in which to report it and need to give them training,â he said, adding it could be built into the infrastructure itself, like requiring students to understand safety training before connecting to their collegeâs Wi-Fi.
Institutional infrastructure is also changing, with most universities now at least considering adopting artificial intelligence and machine learning. But Suraj Mohandas, vice president of strategy at JAMF, said to keep in mind that while these tools can be helpful in cybersecurity measures, they can also be used by outside groups for more nefarious purposes.
âAI truly comes through as two sides of the same coin; thereâs a dark side and bright side to what it offers,â he said. âAnd learning about the threats that are superpowered by AI will help us find tools that help us conquer its impact. It would be a shame to not leverage the latest in machine learning to understand and identify threats coming to us.â