As of July 30, 125 organizations claimed to have been affected by the Blackbaud security breach that occurred in May of this year. Of those groups, nearly half are schools or universities, highlighting a trend of increasingly complex ransomware attacks on learning institutions. To keep up and stay secure, schools need to modernize more strategically.
Colleges and universities have long been prime targets for hackers because they deal with a lot of sensitive -- and therefore valuable -- information that ranges from personal health and financial records of students, staff, and alumni to research and development data. Schools also tend to have weaker or less mature security programs. Information may be stored on vulnerable legacy systems, transported across vast networks, and accessed by unmanaged student devices. Additionally, the pervasive use of on-campus Wi-Fi enables outsiders to connect and pose serious threats.
Such an array of access points makes it difficult for schools to maintain secure digital perimeters. A transition to more technical and remote capabilities risks compounding that issue because such a transition means more access and, therefore, more access points for schools to secure and manage. Without sufficient strategy and oversight, even schools with some level of cybersecurity protection risk making themselves more vulnerable as they adapt because it’s not guaranteed that existing security measures will still be sufficient.
Blackbaud is a cloud-computing services provider that supplies many of the schools affected by the breach with CRM (customer relationship management) tools, such as platforms and systems for alumni relations or interdepartmental communications. These services reflect an interest many schools have in modernizing to improve user-experience and support remote-friendly learning. They also represent extensions of existing security threats. Greater connectivity means more devices accessing schools’ information from a wider variety of networks, including public or unsecure Wi-Fi.
Even relying on a third party to facilitate these exchanges presents vulnerabilities. Hackers frequently target third-party vendors to gain access to the organizations those vendors support. And, due to strict regulations about the handling of student records and data, schools are expected to be responsible for any actions involving that data – even the actions of an external partner.
What can learning institutions do to protect themselves?
The answer lies in awareness and strategy. Schools need to better understand their third-party information supply chain and how to manage security throughout.
This may sound like an obvious conclusion to draw, but ask yourself: What are the security policies and procedures of your third-party vendors? How do you know that your data is safe with them? What about the students and staff accessing your school’s networks – how do you know they’re following best practices?
Some of the most common cybersecurity issues are perpetuated because organizations trust that the proper measures are in place rather than investigating and evaluating those measures themselves. This is especially true as schools modernize, because not everyone has the technical understanding to know whether a system is adequately secured and what impacts certain updates will have. Schools, like other organizations, need to develop strategies, policies, and procedures to ensure that their operations are as secure as they are efficient.
Organization leaders need to audit the school’s security architecture and create a blueprint for renovations. They must hire the talent and expertise needed to build and maintain those systems and acquire the tools to support that talent. And they must invest time and resources into educating all users on best practices to keep access points secure, ultimately establishing a trust-but-verify process to ensure all third-party access meets the institution’s security requirements.
Great. But how are schools -- especially those already struggling with cybersecurity -- expected to address all of these points? How much time do they have? How much will it all cost? Where do they even begin?
Rather than getting overwhelmed by the long road ahead and cutting corners or avoiding the journey altogether, schools should think of cybersecurity as an ongoing effort and focus on taking careful, continuous steps forward. All along the way, there are resources and partners available to help. Wipro, for example, offers a comprehensive remote assessment to get universities started by identifying gaps in their security coverage, vulnerabilities in their systems, and potential threats. We then use this information to help universities align on a security development plan that accounts for their entire information supply chain. This strategic planning supports resilient cybersecurity programs that are tailored to the specific needs of an organization yet flexible enough to adapt to meet new demands.
Wipro has also formed the Quarterly Cybersecurity Advisory Council, which meets to discuss developments and innovations in cybersecurity. By sharing ideas and experiences, the council hopes to raise awareness among organizations, including those in the higher education sector, and help best practices for security become second nature.
Change is constant and rapid in the digital world. To keep up and stay secure, schools need to be aware of where they stand and where they’re headed. To start strategizing your development, contact us and ask about our remote security assessments. Then, check-in with our Quarterly Cybersecurity Advisory Council for updates on how to bring higher security to higher education.