Higher Education Institutions Increasingly Falling Victim to Cyberattacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/higher-education-institutions-70801/

Higher education institutions are treasure troves for hackers. Colleges and
universities are huge repositories of research data, sensitive information
for large populations of applicants and enrolled students (personal,
academic, financial and health data), as well as sensitive personal and tax
information for all faculty and staff. Higher education information systems
are particularly valuable targets for cyberattacks.

In the wake of a series of cyberattacks on several prominent colleges and
universities, higher education institutions would be well-advised to review
their current security posture, breach preparedness, and cyber insurance
coverage.

Reports of a recent cyberattack affecting eight colleges and the central
administration at an elite university in New England came on the heels of a
hack of an engineering college in Pennsylvania, exposing personal
information of at least 18,000 people and other sensitive data. These
follow numerous other reported attacks against colleges and universities
this past year, including reports of an extortion attack against a major
medical research university; hacks of three Midwestern universities
affecting almost 600,000 students, staff, faculty and alumni; and a hack of
a Mid-Atlantic university affecting more than 300,000 faculty, staff, and
students.

According to a 2014 Ponemon Institute study on cybercrime, the mean
cybercrime costs for U.S. entities in the education and research sector was
$8.1 million for fiscal year 2014, and $9 million across a five year
average. More than 55% of the cybercrimes experienced across all industry
sectors were caused by denial of services attacks, malicious insiders, and
malicious code.

Beyond detecting, containing, and eradicating a cyber incident, navigating
state data breach laws can present additional challenges for the higher
education sector. Higher education institutions often have geographically
diverse student bodies, potentially implicating many of the 47 state data
breach notification laws (Alabama, South Dakota, and New Mexico are the
only three states without data breach notification laws). Failure to
provide timely notifications can increase government scrutiny and the risk
that affected individuals may not be able to take precautions, such as
enrolling in identity theft protection and credit monitoring, to prevent or
lessen resulting harm.

Higher education institutions should ensure they have incident response
plans in place, and that they test those plans with pre-breach tabletop
exercises. They should also conduct risk assessments on their information
systems to evaluate their current security posture in order to identify and
reduce vulnerabilities. To mitigate the risk of attack, higher education
institutions should implement all reasonable applicable security controls,
as recommended by the National Institute of Science and Technology and the
SANS Institute. These include a layered defense and the monitoring of
ingress and egress data – which may aid in identifying the source of an
attack. These and other proactive actions can also reduce the overall costs
of a breach. Since risk cannot be completely mitigated by technology,
higher education institutions should also review their existing insurance
policies and confirm they have adequate cyber insurance. While cyber
insurance will not prevent a cyberattack, it may substantially mitigate its
economic impact.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!