University Cybersecurity Is Still a Concern

By Lauren Coffey

ybersecurity concerns rippled through higher ed’s awareness in 2023, when a data breach hit dozens of institutions across the nation.

Nearly a year later, those breaches are still occurring. MOVEit, a software product used by several universities and related organizations for file transfers, announced Friday that it had found new vulnerabilities that could lead to further security problems.

“So, no, your guard can’t be taken down,” said Shawn Waldman, CEO of Secure Cyber Defense. “Organizations need to be on the highest alert possible, especially today.”

Higher education institutions are now markedly more prepared than they were last year, according to several cybersecurity experts who have seen institutions invest more time and money into safety measures.

“The increase in notoriety from these threat groups has really taken over and given administrators something to look at, because [being hacked] hurts your reputation,” said Todd Doss, senior managing director at Guidepost Solutions.

An Inside Higher Ed survey last fall found that 82 percent of CIOs said they were “moderately,” “very” or “extremely” confident that their institution’s cybersecurity practices could prevent ransomware attacks—up from 73 percent in 2022.

That aligns with findings from Moody’s, a bond rating agency, which found college and university cybersecurity budgets increased more than 70 percent in the last five years.

But money alone may not be enough to ward off the persistent—and growing—threats. Software company Malwarebytes called 2023 “the worst ransomware year on record for education,” noting a 70 percent increase in reported attacks.

In August 2023, the University of Michigan had to halt internet services during the first week of classes due to a breach that affected 230,000 students. In September, three decades’ worth of data was compromised at the University of Minnesota. And Hawaii Community College paid a ransom to hackers after roughly 28,000 individuals’ information was compromised.

Cybersecurity Advice for Higher Ed

To deal with hackers, ransomware and other cyberthreats, there needs to be a systemic change within the university system, said Doug Thompson, chief education architect at Tanium.

“The biggest problem is the cultural willingness to give up control at institutions,” said Thompson. “[Faculty] are used to the autonomy needed to install applications, but I don’t necessarily know who has got it or how to control it. And if you don’t know what you have and can’t reach it readily, then I don’t know what my risk is.”

Thompson recommended a twofold approach: ensuring there is a point person in charge of the entire operation and putting hard deadlines on suggested cyberpractices, like giving 30 days to faculty to update all their applications.

Waldman said there needs to be a plan in place before any spending occurs, involving internal and external assessments to highlight where an institution is seeing gaps.

“What ends up happening is maybe there’s an influx of money, maybe there’s a grant, and they rush to do X instead of spending on a plan,” he said. “Otherwise when the spending is done, sometimes, unfortunately, it’s on the wrong thing.”

Doss said institutions that do not have ample resources—usually smaller colleges and universities—can focus on, at the very least, adopting cloud-based tools if they do not have their own.

“The smaller universities just don’t have the budgets or the staff to man a cyber program that can sustain the levels of attacks,” he said, pointing out that he’s seen students volunteer to run the IT help desk at some institutions.

Students also need to be considered when it comes to their roles in preventing cyberattacks, said Doss, who previously worked as an assistant director for the FBI running its crime lab division.

“It should be ‘See something, say something,’ but you have to give [students] a means in which to report it and need to give them training,” he said, adding it could be built into the infrastructure itself, like requiring students to understand safety training before connecting to their college’s Wi-Fi.

Institutional infrastructure is also changing, with most universities now at least considering adopting artificial intelligence and machine learning. But Suraj Mohandas, vice president of strategy at JAMF, said to keep in mind that while these tools can be helpful in cybersecurity measures, they can also be used by outside groups for more nefarious purposes.

“AI truly comes through as two sides of the same coin; there’s a dark side and bright side to what it offers,” he said. “And learning about the threats that are superpowered by AI will help us find tools that help us conquer its impact. It would be a shame to not leverage the latest in machine learning to understand and identify threats coming to us.”