Cyberattacks continue to rise. In the first quarter alone, we saw a 25% increase in the number of monthly cyber attacks. And attacks on higher education institutions are rising, too. Perhaps most disturbing is the increase in ransomware attacks along with a doubling of the average demand in such attacks.. In June 2020 alone, Michigan State University, University of California, and Columbia College Chicago faced extortion from cybercriminals. Why do hackers target universities and colleges? Three reasons stand out:
- Financial opportunities. As with most hacking, money is the main motivation. In 2018, 79 percent of the attacks on educational institutions were financially motivated. Cybercriminals have many opportunities, from stealing money to holding college’s data or websites captive for ransom. While not all institutions have deep pockets, if they can be hacked easily the payoff is worth it.
- A wealth of personally identifiable information (PII). Higher education institutions are a goldmine for PII. They have large student populations with fresh credit histories, plus alumni and employee data. Universities and colleges often store a wide variety of valuable information, everything from loans and bank account information to social security numbers and passport information—even healthcare data.
- Valuable, confidential research. More and more, institutions are the target of nation-state actors and non-state actors seeking secret military or other valuable research data. Just this spring, The Wall Street Journal reported that Chinese hackers targeted twenty-seven universities including the Massachusetts Institute of Technology and the University of Washington. The hackers were seeking information about maritime research associated with the United States military. Cyber-espionage attacks in educational institutions are 3.5 greater in 2019.
What makes higher education institutions such good targets?
Here are five reasons why hackers find colleges and universities to be easy targets:
- Educational institutions still aren’t secure enough. Education ranked the lowest of all industries on cybersecurity in Security Scorecards 2018 report. Colleges, especially public institutions, struggle with budgets. Investments in security come at the cost of other items, and too often are put on the back burner.
Lax security is an invitation to cybercriminals You might as well put up a sign: Attack Me.
- Open networks and lots of apps. College networks cover a huge space and provide students and staff access to many different applications and data. Every location is an opportunity. Institutions are focused on making access easy for students and providing all the services that make their institution competitive with others. But that opens doors for hackers.
- Students make easy targets. Corporations can train their employees and even their contractors. They invest in cybereducation. Colleges have a new crop of students every year and with such a large student base, it’s impractical to do extensive cybereducation. The young population is often inexperienced and falls prey more easily to common hacking techniques.
- Many, many devices. College campuses are the king of BYOD. Everybody is connected through their own laptops, desktops, phones, and tablets. Each device is an opportunity.
- Big campuses that are stranger friendly. When it comes to social engineering tactics, tailgating, or man-in-the-middle attacks, you don’t get a richer environment than a college campus. Strangers enter easily, go undetected, and can plant USBs, intercept traffic, or easily enter labs and research areas.
The low-hanging fruit for cyber security
Verizon’s 2019 Data Breach Investigations Report did a deep dive on breaches in different industries, including education. In examining the patterns in breaches, they found Miscellaneous Errors and Web Applications to be involved in most instances. And, not surprisingly, over 80 percent of breaches involved stolen credentials. That’s in keeping with the cross-industry rate.
Put those two pieces of data together and you can see that securing credentials to web applications is one of the first things that institutions should address.
Two technologies are key to doing so: Single Sign-On (SSO) and Multi-Factor Authentication (MFA). Single Sign-On reduces the number of passwords needed, eliminating opportunities for hackers to steal credentials. MFA adds additional criteria beyond a username and password, that a user must supply in order to log in. That helps thwart hackers if they do happen to get the user’s password. (Don’t worry, MFA doesn’t negatively impact the student experience.) Solutions like OneLogin provide both SSO and MFA.
With OneLogin’s single sign-on portal, students and staff only have to enter one set of credentials to access their web apps in the cloud and behind the firewall – via desktops, smartphones, and tablets.
OneLogin SSO supports:
- Social Login Social authentication lets people sign into OneLogin using their Social Identity from services such as Facebook, Google+, LinkedIn, and Twitter.
- Self-Registration An important part of Social Login is the ability for customers to self-register.
- Mobile Users can sign into their mobile apps using their SSO password.
- OneLogin App Catalog OneLogin’s catalog of almost 6,000 pre-integrated applications makes it easy to enable single sign-on and user provisioning.
OneLogin MFA helps you secure access to thousands of cloud applications with a second authentication factor beyond username and password. In the event that someone steals a user’s credentials, the addition of a one-time passcode token is a significant barrier to prevent intruder access.
The OneLogin core platform includes many capabilities such as single sign-on, multi-factor authentication, a centralized cloud directory, user provisioning, contextual security policies, reporting, and an extensive App Catalog. OneLogin is an extensible solution with a robust feature set that provides creative options to meet your institution’s evolving access needs. Contact us to learn more about OneLogin.