Emerging Technology (Enhancing, Engaging, Connecting)
- By David W. Dodd
- June 1st, 2017
Last year was a banner year for higher education — and not in a good way. 2016 marked a significant increase in the frequency and severity of cyberattacks on colleges and universities.
Cybersecurity firms and leading analysts had several consistent warnings for 2017. Denial-of-service attacks will grow in number and severity, ransomware will continue to grow, “fakes” in general are escalating rapidly, state-sponsored attacks will escalate, internal threats will increase and by 2020 a third of successful attacks on enterprises will be on their shadow IT resources. As bad as 2016 was, 2017 is already proving to be far worse.
Colleges and universities are excellent targets for cyberattacks. Though not in the same class as financial institutions, they typically have fairly open networks with relatively low levels of security, do less filtering of network and email content than other organizations and still have sizable budgets with the largest proportion usually relating to salaries. This is where “spear phishing” enters the picture.
“Spear phishing” is an example of a category of attacks called social engineering. This area has been called “hacking the head” because these cyberattacks skirt perimeter defenses such as firewalls and go directly to users. Spear phishing uses the most creative and convincing means to trick users into making a mistake, and hence compromise themselves. In many cases, this involves volunteering their username and password to the malicious agents who can then use the credentials to access any number of systems, including HR and payroll systems. If hackers can get a payroll direct deposit rerouted to one of their own accounts, the haul can be impressive. Note that this is essentially paid for by student tuition dollars. Despicable, yes. And too often successful.
The timing of a spear phishing attack is equally stunning. As reported from research studies, the median time for the first user of a phishing campaign to open the illegitimate email is 1 minute 40 seconds, with the average time for all recipients being 3 minutes 45 seconds to click on the malicious attachment. In 93 percent of cases, it took attackers minutes or less to compromise systems. Data exfiltration occurred within minutes in 28 percent of cases. Essentially, the damage is so quick that intervention is nearly impossible. Couple this with the fact that research also shows approximately twice as many people click malicious links as admit they do. For whatever reason, lack of awareness, embarrassment, denial or other, many people effectively default into their demise.
There are three components to an effective cybersecurity posture: people, processes and technology. All three are required. For anyone who erringly believes technology countermeasures should be able to protect people who believe they need not act responsibly, they believe in this fallacy at their own peril. The same principle applies to institutions that choose to believe that policies are unnecessary, and that everyone will simply choose to do “the right thing.”
HED institutions can work to meet the needs of these new threats in a number of ways. First and foremost, user communication, awareness and training are vital. Ensure that users are aware of these threats. Don’t try to dismiss them away, believing they either will never happen or that it “reflects badly on the institution.”
Policies and processes are equally vital. The National Institute of Standards and Technology (NIST) cybersecurity framework is the current gold standard for preparedness. There are five components to the NIST framework: Identify, Protect, Detect, Respond, Recover. There are numerous sources of information on this framework, as well as resources to help implement it.
I am continually amazed by the number of colleges and universities that do not take cybersecurity seriously and that have not implemented even basic protections and countermeasures. In this area, omission is almost inevitably a fatal mistake. If cost is an issue, this should be measured against the cost of doing nothing when the inevitable breach occurs.
A number of companies provide very good cybersecurity tools and systems that can be deployed quickly and effectively. However, while technology evolves rapidly, cybersecurity is among the fastest changing areas of all. This means that great technology can be wasted unless professionals with current expertise are involved in the design, planning and implementation of these tools. Relying on someone with 20-year-old knowledge to get this right precludes success.
Cyberattacks are escalating. HED institutions have tools and resources available to them to meet these challenges, and this should be a high priority. Taking action yet falling short is understandable, given the nature of this threat. Taking no action is unconscionable.
This article originally appeared in the June 2017 issue of College Planning & Management.
David W. Dodd is vice president of Information Technology and CIO at the Stevens Institute of Technology in Hoboken, NJ. He can be reached at 201/216-5491 or firstname.lastname@example.org.