By Ellen Raineri, PhD
Academia has increasingly been the target of numerous cyberattacks. In 2005, a security breach affected about 32,000 student and staff records that were compromised as hackers gained access to social security numbers, pictures, and names (Vijayan, 2005). In 2013, employees at Saint Louis University were lured into a phishing email scam. Perpetrators gained access to 3,000 email accounts that accessed personal information such as social security numbers and health information (Saint Louis University, 2015).
In 2014, the University of Delaware was victim to a cyberattack. Hackers obtained personal information from 72,000 employees (University of Delaware, 2014). In 2015, a distributed denial-of-service attack was launched at Rutgers University in which students and faculty were unable to access the Sakai course management system (CBS NY, 2015). Another attack in 2015 targeted the engineering department at Penn State University. Usernames and passwords were obtained by perpetrators from China (Lennon, 2015). These are just a sample of security incidents that have occurred, so it is important for academic institutions to be attentive to 10 key vulnerable areas and to provide the proper mitigation.
1. Portable devices: Some institutions have a BYOD (bring your own device) policy. Accordingly, faculty and staff may have brought in their own tablets and smartphones. This poses a risk of eavesdropping as well as theft with access to sensitive data. Employees should not leave devices unattended while at work or home. When using the devices (speaking or typing), employees should be sure that no one is close by to see or hear sensitive information. Devices should have authentication to assist with access control. Lastly, devices can use encryption for transmitting information (Mathias, 2015).
2. Network: The vulnerable areas are DDoS attacks and viruses. Institutions should have current antivirus software, firewalls, IDSs, IPSs, and DMZs.
3. Emails: Email is vulnerable to phishing. Employees should participate in training to identify suspicious emails. Employees should be told not to click on unknown attachments and not to share confidential information that is requested by email.
4. Passwords: Perpetrators can try to seize passwords by brute force or dictionary attacks. Institutions should focus on having strong passwords in terms of lengths, variety (i.e., letters, numbers, symbols), and complex words; employees should be required to change their passwords on a regular basis.
5. Public computers: Within the library, common areas, and classroom, university computers are accessed by faculty, employees, and students. The websites they have viewed and the documents they have downloaded can be accessed unless history and downloaded files are cleared. Sensitive information such as financial documents, exams, and more are at risk. Users should clear history if using public computers.
6. Community: Employees are at risk from those in the community who might use the ploy of social engineering to gain access to sensitive information. Training should be offered so employees learn how to identify social engineering ploys. Employees should be told not to share confidential information with strangers.
7. Internal employees: Last year, 666,000 internal employees contributed to security breaches (Help Net Security, 2014). Institutions should determine and enforce access control to information.
8. Computer resources: Employees may use company resources (i.e., computers, emails, etc.) for malicious purposes such as launching botnets or sending hate mail. Institutions should provide employees with parameters regarding the use of computer resources for academic or nonacademic purposes.
9. Trash: The vulnerability is that confidential information may be accessed from discarded documents or hardware though dumpster diving or retrieval of hard drives. Confidential documents should be shredded, and hard drives should be destroyed.
10. Student data and systems (i.e., student systems or course management systems): The vulnerability is a lack of access due to a crisis such as a natural disaster or due to cyberattacks. Institutions should make regular backups and store them at an alternative location. Also, institutions should create and maintain disaster recovery plans.
Ellen Raineri is an adjunct faculty member at Kaplan University. The views expressed in this article are solely those of the author and do not represent the view of Kaplan University.
CBS New York. (2015, March 30). Rutgers university trying to restore computer systems after denial-of-service attack. Retrieved from http://newyork.cbslocal.com/2015/03/30/rutgers-university-trying-to-restore-computer-systems-after-denial-of-service-attack/
Help Net Security. (2014, February 19). US businesses suffer 666,000 internal security breaches. Retrieved from http://www.net-security.org/secworld.php?id=16379
Lennon, M. (2015, May 15). Penn State University cuts Internet after Chinese cyberattack. Retrieved from http://www.securityweek.com/penn-state-university-cuts-internet-response-chinese-cyberattack
Mathias, C. (2015). Minimizing BYOD security risks through policies and technology. Retrieved from http://searchconsumerization.techtarget.com/tip/Minimizing-BYOD-security-risks-through-policy-and-technology
Saint Louis University. (2015). Important information on phishing email scam. Retrieved from http://www.slu.edu/update-on-phishing-email-scam
University of Delaware. (2014). UD IT security response. Retrieved from http://www.udel.edu/it/response/
Vijayan, J. (2015, January 13). Hack exposes lax security in academia. Retrieved from http://www.computerworld.com/article/2568910/security0/hack-exposes-lax-security-in-academia.html