Cybersecurity Risks Increase for Colleges and Universities

Boards and executive leaders often lack visibility into cybersecurity efforts. Cybersecurity risk management must be driven by senior leadership to ensure that resource investment is prioritized, addressing the most critical vulnerabilities that could expose highly sensitive data. Working from home and the increased need for online learning has raised additional cybersecurity risks that higher education institutions face. With this comes increased pressure to ensure that networks and platforms are secure enough to handle the additional number of online classes and network traffic.

On April 1, 2020, the U.S. Federal Bureau of Investigation (FBI) issued a public service announcement regarding cybercrime associated with increased use of virtual environments.

In their announcement, the FBI highlighted increased vulnerabilities that colleges and universities could face as a result of faculty, staff, and leadership working with confidential data on home and public networks. “The COVID-19 pandemic has led to a spike in businesses teleworking to communicate and share information over the Internet. With this knowledge, malicious cyber actors are looking for ways to exploit telework software vulnerabilities in order to obtain sensitive information, eavesdrop on conference calls or virtual meetings, or conduct other malicious activities.” [1]

Explicitly referring to educational entities, the FBI further warned that “today's rapid incorporation of education technology (edtech) and online learning could have privacy and safety implications if students' online activity is not closely monitored,” noting that students’ personal information, such as medical records and counselor reports, are among the data at risk.

Being informed and maintaining vigilance can help colleges and universities avoid this type of cybersecurity threat during the COVID-19 pandemic. DHG recommends the following steps to stay protected:

  • Conduct a comprehensive cybersecurity risk assessment to understand where critical vulnerabilities lie.
  • Conduct a cybersecurity awareness assessment that includes awareness policy development, awareness training for employees, and social engineering testing
  • Evaluate cybersecurity policies from all third-party hosting services.
  • Notify employees to be attentive to phishing attacks through texts, emails and phone calls that offer fast services such as medical assistance or charity collections.
  • Utilize an “External Email” stamp for all incoming email so that employees are less likely to be fooled by imposters posing as employees.
  • Ensure all anti-malware software is updated on electronic devices.
  • Have an incident response plan in place in the event a cybersecurity breach does occur.
  • Create a recovery plan and a business continuity plan to operate with the proper security in the event normal operations are interrupted.

DHG is committed to assisting boards and management mitigate their risk of cyber threats. For more information on current cybersecurity threats please contact a member of our non-profit practice at nonprofit@dhg.com or our IT Advisory Services Group at itadvisory@dhg.com.

References:

[1] FBI PSA - CYBER ACTORS TAKE ADVANTAGE OF COVID-19 PANDEMIC TO EXPLOIT INCREASED USE OF VIRTUAL ENVIRONMENTS - PSA Alert # I-040120-PSA - https://www.ic3.gov/media/2020/200401.aspx