Cyber attacks are becoming increasingly sophisticated and are targeting not only corporate entities, but also educational institutions with valuable data. Reports show that educational institutions fall among the top targets for cyber attacks, where incidents in this sector have increased by 44 percent from the prior year.1 “We have definitely seen an uptick in cyber attacks in the last few years and education and local governments are getting hit pretty hard,” says Dr. Dawn Dunkerley, Virtual Chief Information Security Officer, Edge. “Especially in the higher education space where government-funded research projects are being conducted, we’re seeing an increase in threats where people would like to gain access to this information. Institutions must gain an understanding of the current threat landscape and take proactive measures to fortify their defenses.”
The Emergence of New Age Cyber Threats
Cyber attacks are popping up in every industry and across every region as hackers continue to find new ways to take advantage of vulnerabilities. With the rise of artificial intelligence (AI) and its growing integration into our day-to-day lives, the landscape is changing rapidly and a new age of cyber threats is emerging. “Cybercriminals use AI-powered phishing attacks and create intelligent malware to infiltrate networks or devices,” explains Dunkerley. “While AI tools are providing us with many opportunities to streamline and automate processes, this technology can also open the door to cyber crime. In previous years, AI-powered phishing attacks were common, where you may receive a poorly-worded email with misspellings that were easy to spot.”
“Cybercriminals are now using ChatGPT, for example, to create more sophisticated attacks,” continues Dunkerley. “This AI-powered language model can generate human-like text that is more difficult to identify as malicious, as well as can contain code and malware that is designed to attack an organization’s network.” Another trend on the rise is Deepfake AI where convincing images, audio, and video of real people are generated by machine learning. “Deepfakes present new challenges with fraud and misinformation, identity theft, and political manipulation,” says Dunkerley. “We have started to see deepfake voice recognition issues where people are creating voices to attempt to gain access to organizations. So, while AI can lead to incredible opportunities, there are also threats we need to be aware of and ensure protective measures are put in place.”
“Organizations must recognize the importance of cyber defense and that cybersecurity is not where you should cut corners. If you lose the ability to process financial aid, for example, the consequences could be disastrous. To create a strategic plan for success, you want to clearly identify your budgetary needs and the cybersecurity resources that will help enhance your defense.”
— Dr. Dawn Dunkerley
Virtual Chief Information Security Officer
Edge
The MOVEit Attack
One of the most prominent cyber attacks of 2023 is known as the MOVEit breach that compromised confidential data across a wide range of entities. “The latest number of organizations that have been compromised by the MOVEit breach is over 1,000, and has affected over 60 million individuals,” shares Dunkerley. “MOVEit is a piece of software that was created as a file-sharing tool. Current investigations believe their source code was compromised by a ransomware actor and they were able to gain access to organizations that were using the client-based version of the MOVEit software.”
The education sector was among the industries affected by this cyber attack, where reports say nearly 900 colleges experienced a data breach during the mass hack. Among the organizations affected by the breach include National Student Clearinghouse, Teachers Insurance and Annuity Association of America-College Retirement Equities Fund (TIAA-CREF), and Pension Benefit Information (PBI) Research Services. “For National Student Clearinghouse, thousands of student enrollment and other records were involved in the breach,” explains Dunkerley. “This attack has two tiers of compromise, where the lower tier is basic information including student name and non-sensitive data, and the second tier includes more personal information like Social Security numbers. We are working diligently with our member institutions who had information exposed to help provide the steps needed to protect themselves.”
TIAA is well known in the education space for helping provide retirement tools for people in academic, government, medical, cultural, and other nonprofit fields. The organization confirmed that one of its third-party vendors had been exposed in the MOVEit breach, and as a result, has filed a class action lawsuit alleging a breach of nearly 2.4 million personal records. PBI Research Services, a third-party vendor, had to inform their customers when they became aware of the MOVEit data breach. “This incident shows us how strongly we can be affected by third parties that are working on our behalf,” says Dunkerley. “It is becoming increasingly clear that we must make a strong push to understand vendor risk and manage the impact of such events on the education sector.”
“At Edge, we actively monitor our third-party risk and urge institutions to understand who their critical vendors are, who has access to the network, what is their critical software, student information systems, learning management systems, and critical infrastructure. Your organization can also benefit from investing in advanced tools. Technology continues to emerge that uses AI for continuous threat monitoring and detection. We want institutions to be equipped with the tools they need to create a holistic security approach that is both effective and affordable and allows you to make proactive, responsible decisions to improve cybersecurity within your organization.”
— Dr. Dawn Dunkerley
Virtual Chief Information Security Officer
Edge
Investing in Cyber Defense
The financial impact of a cyber attack is not just in the moment, it also extends into rebuilding IT systems and restoring data. “There are significant costs, including people, process, and technology, that are associated with response and recovery,” says Dunkerley. “You may have to create stand-up call centers to receive phone calls or stuff and send out envelopes with notification letters. Educational institutions may also face significant legal fees and penalties following a cyber attack, and can experience reputational damage; impacting future enrollment and funding.”
Cyber attacks can cause significant disruption to learning, with systems and networks often being taken offline for extended periods of time. This can result in lost revenue and enrollment for educational institutions. “Along with the cost of recovery efforts, a data breach can have a huge impact on learning,” says Dunkerley. “You may see a disruption to classes, assignments, and educational resources. Cyber attacks can cause systems and networks to be taken offline, which can disrupt classes and assignments, and result in students falling behind in their coursework.”
Identity theft and other privacy violations are also a major concern when sensitive student data, such as personal information and grades, are compromised. “Cyber attacks can also disrupt research projects at an institution and can impact funding and progress in the field of education,” says Dunkerley.
Optimizing your Cyber Defense
Understanding the evolving threat landscape is an important step in creating a strong cyber defense strategy that prioritizes and optimizes a cybersecurity budget, addresses the most critical functions, and enhances the defense against emerging threats. “Organizations must recognize the importance of cyber defense and that cybersecurity is not where you should cut corners,” explains Dunkerley. “If you lose the ability to process financial aid, for example, the consequences could be disastrous. To create a strategic plan for success, you want to clearly identify your budgetary needs and the cybersecurity resources that will help enhance your defense.”
To optimize a cyber defense budget and prioritize spending, institutions can benefit from implementing spending on critical functions like firewall enhancements, user education, and intrusion detection systems. “Training and education are also critical parts of a cybersecurity strategy and creating an incident response team and tested incident response plan,” says Dunkerley. “You want to be able to answer the question, how can we improve general user behaviors? When this behavior or something else fails, how do we identify that something has happened? Knowing these answers can then inform how to react and recover appropriately.”
Creating a Culture of Cyber Awareness
Outlined in the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA), institutions are required to protect private data in accordance with a written information security plan created by the institution. To be compliant, organizations must use administrative, technical, or physical safeguards to access, collect, distribute, process, protect, store, use, and dispose of customer information. Requirements include using proper software, testing and monitoring vulnerabilities, and providing employee training and education.
To enhance your institution’s cyber defense, Dunkerley says conducting a comprehensive risk and vulnerability assessment is a good place to start. “It’s important to understand what your top risks are from a confidentiality, integrity, and availability perspective and the impact of each. You also want to understand your overall vulnerability, including physical security. This goes beyond just a scan; you want to gain a comprehensive view where you can identify possible vulnerabilities before they become a threat.”
The GLBA requires institutions to develop an incident response plan and test it regularly. “We definitely recommend reviewing your response strategy at least every year, if not every six months,” says Dunkerley. “The response team also needs to include other team members than just the IT staff. In the event of a breach, there is potentially internal communications that will go out to the faculty, staff, and students, as well as external communication to other organizations. There will also be a legal aspect. The incident response team is multi-faceted and will require a cooperative effort during response and recovery.”
Edge encourages institutions to understand third-party vendor risk and recommends a vendor risk management program. “At Edge, we actively monitor our third-party risk and urge institutions to understand who their critical vendors are, who has access to the network, what is their critical software, student information systems, learning management systems, and critical infrastructure,” explains Dunkerley. “Your organization can also benefit from investing in advanced tools. Technology continues to emerge that uses AI for continuous threat monitoring and detection. We want institutions to be equipped with the tools they need to create a holistic security approach that is both effective and affordable and allows you to make proactive, responsible decisions to improve cybersecurity within your organization.”
To learn more about building a proactive cyber defense strategy and investing wisely in your cybersecurity infrastructure, visit njedge.net/solutions-overview/cybersecurity/.
1Check Point’s Mid-Year Report for 2022. August 2022.
