Why Your Institution Is at High Risk of Cyberattacks

by Stacie Kowalczyk
July 13, 2017

Although most cyberattack headlines are about corporations, colleges and universities face an unusually high threat from hackers. In fact, higher education has the highest number of cyberattacks of any industry, according to University Business Magazine – which is not well known even in the world of higher education. In the last few years, cyberattacks have put many of the country’s leading institutions at risk. The largest breaches have affected hundreds of thousands of students, faculty and staff, and compromised personal information such as names, addresses and social security numbers.

There are a number of reasons for these alarming statistics. For one, colleges and universities are more likely targets for cyberattacks simply due to the staggering quantities of personal information they retain related to students, faculty, parents and families, vendors and alumni. Additionally, the open and collaborative environment of most institutions puts them at even greater risk of attack, because many provide online learning, where faculty and students log in from personal devices to participate. Personal devices typically are much harder to secure than computers or devices that are part of an institution’s assets.

The common attacks affecting colleges and universities include:

  • Network destruction
  • Ransomware
  • Extortion
  • Business email compromise
  • Point-of-sale breach
  • Theft of intellectual property (IP)
  • Theft of personally identifiable information (PII) and financial information (FI)

The damage from an attack can be devastating. Imagine the impact of a data breach and how costly it would be for your institution. And add on to those costs the expense of defending your institution against some type of class-action litigation or other lawsuit filed by individuals who were harmed by the attack.

What Should Your Institution Do?
Being informed about your institutional risks and having a reasonable plan to address them is the key to minimizing the risk and loss associated with cybersecurity attacks. You can start with these steps:

1. Collaborate and communicate. After a breach, we often see a finger pointed at a specific employee or student, with a comment about how the attack could have been prevented if they only would have done X, or not clicked on Y. User education is critical, but institutions should not rely on education alone.

2. Engage your board of directors. Cybersecurity is everyone’s responsibility. The board should set the tone at the top and instill this in the culture of the institution.

3. Establish a cybersecurity program. Follow these basic guidelines.

  • Information technology security must be process driven.
  • Software used internally must also have good security.
  • Model the threats, perform a risk assessment and have an incident response plan.
  • Include the cybersecurity program in your institution’s strategic planning process.
  • Can you attack your own systems? Do test runs and learn from them.

4. Ensure proper tone at the top through board governance.

5. Complexity is the enemy of security. Aim for these goals to streamline systems and processes:

  • Integrate
  • Consolidate
  • Automate

Most of these measures and steps do not require an institution’s management or board to have in-depth knowledge or expertise in cybersecurity or technology. For many institutions, having a reasonable plan to be informed about your institutional risk and having a plan to address risk is the key to minimizing the risk and loss associated with cyber security attacks.

New Cybersecurity Compliance Audit Requirement?
In 2003, the Federal Trade Commission established the Safeguards Rule, pursuant to the Gramm-Leach-Bliley Act (GLBA). As part of the Safeguards Rule, institutions that participate in federal student financial assistance programs are required to maintain a written security program that provides for reasonable measures to secure student information, and to regularly test and monitor the systems and controls surrounding the security program.

In July 2016, the Federal Student Aid (FSA) office released guidance for colleges and universities on student financial aid information security, which highlights institution requirements under GLBA and the Student Aid Internet Gateway (SAIG), a similar act. With this guidance, FSA added specific provisions to mandate compliance with GLBA through an audit requirement, which entails examination of evidence of GLBA compliance as part of the institution’s annual student aid compliance audit conducted by its external auditor. This audit requirement is anticipated to take effect in 2018, so your institution should start gearing up now to be in compliance.

Start Building Your Defense
Cyberattacks are a very real threat for colleges and universities, but there is a lot you can do to protect your institution. Click here to download our guide on Mitigating Your Nonprofit’s Digital Risk to help get you started.

July 13, 2017

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
SaaS Market Trends
Between the uncertainty of 2022 and the highs of 2021, what will 2023 hold?

December 14, 2022 | 09:00 AM - 10:00 AM PT
Fraud: Current Trends & Hot Topics
Don’t let fraud negatively impact your organization.

December 8, 2022 | 11:00 AM - 12:00 PM PT
Year-End Tax Planning for High-Net-Worth Individuals
Our tax experts will dive deep into our annual year-end tax planning guide.

December 8, 2022 | 09:00 AM - 10:00 AM PT