In today’s threat landscape, anyone can be the victim of a cyberattack. While attacks on large corporations and financial institutions tend to generate the most headlines, the truth is that modern cybercriminals will target organizations of any size—and in any industry.
A common refrain in the cybersecurity industry is that “data is the new oil,” highlighting the fact that attackers aren’t just interested in money anymore—they want information. But attackers also recognize that information is more valuable to the institution than it is to them. That fact has led to a rash of ransomware attacks targeting colleges and universities, roughly two-thirds of which have been targeted by ransomware.
Even a small college is home to hundreds of students, while major universities might enroll tens of thousands. Those students submit medical records and financial aid forms, credit card info and social security numbers—a potential treasure trove for attackers, whether they plan to sell that data on the dark web or simply hold it for ransom. Unfortunately, many institutions lack the tools and knowledge to effectively protect themselves. With both the frequency and severity of identity-based attacks on the rise, colleges and universities need to understand their potential vulnerabilities and take the necessary steps to address them.
Understanding Identities and the Rise of Identity-Based Attacks
The 2022 Verizon Data Breach Investigations Report (DBIR) found that stolen credentials were a factor in nearly 50 percent of all attacks, including phishing attacks, third-party breaches, and ransomware attacks. The report notes that there has been a 30 percent increase in stolen credentials in the past five years alone, which attackers have leveraged into an increasingly reliable way to compromise identities and gain network access. For colleges and universities managing thousands of students, hundreds of employees, and sprawling alumni networks, protecting those credentials and effectively managing user identities is increasingly critical.
It’s also important to remember that many educational institutions conduct high-value research. The military in particular funds a wide range of projects at research universities, and while that research is often compartmentalized across multiple institutions, a savvy attacker able to compromise two or three of the right identities could potentially gain valuable insights into ongoing projects. At a time when cyber espionage is becoming increasingly common, the government wants assurances that its investments are being protected. Institutions without adequate identity security risk losing access to a critical source of funding.
Limiting the Potential Damage
Applying a “least privilege” model to identities—especially user identities—is essential for colleges and universities. This means that each identity should have only the privileges and entitlements it needs to fulfill its essential functions. For instance, every student needs access to their university email, but not every student needs access to business school or science lab resources. It’s important for schools to model “birthright” entitlements, like email, homework portals, and grading systems, with additional permissions defined by the classes they enroll in, which school their major falls within, their financial aid status, whether they live on campus, and other factors.
- The benefits of observational assessments in a ChatGPT world - March 27, 2023
- How to use data to fuel a secure financial future at your institution - March 22, 2023
- How IT teams can reduce the threat of cyberattacks - March 22, 2023