What went very wrong in 2014; what are concerns for 2015?

securitybreachAccording to various reports, including those from BreachLevelIndex.com, PrivacyRights.org, and Secure Computing, there were at least 154 data breaches in the U.S., .edu realm in 2014, and another 36 in .edu-related healthcare facilities.

It may not sound like a shocking number at first blush, but within those breaches, there were ultimately 2,608,038 known records exposed with the number of records compromised ranging from a single record to over 309,000. These records were compromised in a variety of ways; some were accidentally released, others the result of malicious insiders or outsiders.

By way of scale: BreachLevelIndex.com reports 1450 worldwide breaches overall in 2014, comprising at least 974,801,829 records. Surely there’s duplication – for example, it’s likely that some of the same credit card info was exposed in the Target and Home Depot breaches – but in the case of .edu and .edu-related healthcare, the chances for overlap are significantly reduced.

Regardless, the raw stats suggest that .edu and .edu-related healthcare accounted for 13.10 percent of known breaches, but only 0.27 percent of the breached records. That discrepancy is in large measure due to those few breaches in 2014 where millions of records were exposed.

There are other cases where the breaches have not yet been reported; indeed, there are probably many that have not yet been discovered: consider these numbers to be conservative lower bounds.

What are the costs?

In some cases, financial penalties were assessed (for healthcare facilities: HIPAA violations are expensive!), victims filed lawsuits, and of course there were the costs of the investigations, often involving external forensics experts. In many cases, the compromised institutions pay the cost of credit monitoring for victims.

In The Chronicle of Higher Education, Paul Nikhinson of the Beazley Group, which sells cybersecurity insurance to colleges, estimates overall costs of 2014’s University of Maryland breach: “My very conservative estimate would be a couple million dollars.” Costs vary, of course, but according to BusinessIDTheft.org, “Credit monitoring services may cost between $8 and $30 per person per month”, and identity theft protection, if offered, is yet another cost.

These are conservative estimates: a Ponemon report shows international breaches in 2013 averaged, per record, $145 — but the costs were $201 for US, $294 for .edu, and $359 for healthcare. And let’s not even think about the loss of charitable contributions by alumni – victims or not! Perhaps the greatest cost – intangible though it may be – is the reputation and prestige of the institution. Unlike choosing a credit card or local bank, students (and parents) may select from hundreds of competing options when choosing where to pursue a secondary education. Part of the “College Selection Equation” may become “If we send Junior to University of X, might we end up paying even more due to identity theft than for tuition and associated costs?” While we cannot know the number of actual people whose records were compromised, the fact is that those individuals were put at risk, and that alone has a cost to the institutions that suffered the breaches.

(Next page: How can this be mitigated?)

How can this be mitigated?

According to the first three Quarterly Reports from BreachLevelIndex.com, less than 1 percent of all breaches between January and September 2014 were for cases where “secure encryption” was in use. While there is no info in their First Quarter report, their Second and Third Quarter reports show that no encryption was used at all for 537 of the 557 reported breaches – that’s an encryption rate (even if it’s trivial encryption) of only 3.59 percent.

This suggests that most of the data out there are improperly protected.

While it’s bad to be breached, at least if the data are unusable to those who acquire them, it’s much less of a nightmare. Lesson learned here? Encrypt all your data!

Looking forward

What should we be focusing on in 2015, besides — obviously — encrypting all data? In a 2014 TechValidate survey commissioned by ESET , respondents replied that in the next 12 months their biggest challenges are:

  • to protect student and organization data and intellectual property , and
  • to balance employee and student productivity with strong protection

Allow me to quote Vince Spiars, Administrative User Services Manager at Wesleyan University, when asked his concerns in the upcoming year:

More attacks in 2015: targeting and looking for IT personnel and administrators, looking for certain things to get into back end systems. For example, hackers are targeting people in the Registrar’s and Admissions offices. They are of interest because the attackers want to get credentials and ultimately gain access to systems to steal these data. They can also drop a bot to gain remote control, and then can see what is on systems, and scan for PII and SS information. There is a pick-up in this type of attack because data are increasingly valuable.

To combat this, Wesleyan plans several ways to “secure the user,” including security training videos for students and staff, in-person staff training by IT personnel, and continuing education efforts to report suspicious emails. In addition to educating the user – your true first line of defense – there are all kinds of technical solutions, like , for example that help institutions like Wesleyan stay protected.

During my 20-plus years in higher-ed security, I often heard that security education is futile. That may be true in other markets, but I can attest that if done properly, it is a very cost-effective tool. Make the most of the fact that you are in an environment where education is the focus!

Computer security is no easy row to hoe; it’s not a matter of if a breach will occur, but of when. Whether or not that breach has already occurred in your workplace, an emphasis on data encryption and education of your populace will pay big dividends for relatively little cost – a particularly welcome combination in the educational realm.

Bruce_Burrellresized Bruce P. Burrell is a former University of Michigan IT/security team lead, and a current security researcher at ESET, a global cybersecurity company.


Add your opinion to the discussion.