Why the education system is so intriguing for hackers

UniversitiesIn the last two years, schools, colleges, and universities across America have been the target of a number of cybersecurity incidents and data breaches:

  • University of Chicago suffered a data breach, with names, Social Security numbers, employee IDs, username, sex, marital status, and some physical addresses and email addresses stolen (March 2015).
  • 62,000 University of Pittsburgh Medical Center employees had their personal information accessed by identity thieves. Some information was used to file bogus tax returns (March 2015).
  • The University of California, Berkeley announced that servers and workstations in the Real Estate division had been compromised (September 2014).
  • Social Security numbers of some 300,000 present and former students, faculty, and staff members at the University of Maryland, College Park were exposed by hackers (February, 2014).
  • 145,000 applications to Virginia Tech were compromised when a server was illegally accessed (September, 2013).
  • 74,000 University of Delaware students and staff had their Social Security numbers stolen (July, 2013).
  • 5 million Social Security and bank account numbers associated with an Arizona community college system stolen (April, 2013).

Why is the school system so attractive?

Colleges and universities are often attractive targets for hackers because of the many access points into their networks. There is also a wealth of information available, including personal information, staff information, and intellectual property.

The abundance of data available on educational networks is so scattered that colleges and universities often find it hard to centrally secure all their data. School systems are also obliged to have their data available to researchers and students around the world without mandating which devices or software can be used. This makes it extremely difficult to prevent and detect security breaches.

“It’s been a long-standing concern that our culture of collaboration and trust kind of flies in the face of the need for security to be more closed, more alert and more sceptical and cynical,” said Rodney Petersen, senior policy adviser for SecuriCORE, a higher education information security project at Indiana University. “Just as campuses have added gates, guards and surveillance cameras on in recent decades, they may have to end the era of open access to online resources”, he said.

While schools have traditionally used ‘open coffee-house style’ networks, institutions should be prioritizing security for data that needs the highest level of protection, such as tuition processing or employee payroll.

Improving security in the education system

It can be extremely difficult for schools and universities to detect malicious attacks or roll out cybersecurity best practices because of their size and the complexity of their network, systems, and data – the transition to cybersecurity best practice would be a huge challenge for any such organization.

Thankfully, the ISO 27001 standard provides a holistic approach to information security that encompasses people, processes, and technology. Implementing the standard can allow organizations/institutions of any size, sector, or industry to successfully implement internationally-recognized cybersecurity best practices.

Registration to the standard not only provides an internationally recognized level of security throughout your school or business, it also assures stakeholders that international best practice is being followed, meets legal and regulatory obligations, and reduces the risks your business faces.

For more on the business benefits of ISO 27001, click here >>

To see how IT Governance’s fixed-price ISO 27001 Packaged Solutions can help you implement an ISMS in your organization and achieve registration to the Standard whatever your budget or the timescale of your project, click here >>

ISO 27001 Packaged Solutions