While every organization that stores valuable information (or be willing to pay a ransom to recover their data) is a target for cyber thieves, the attack on the University of Virginia’s network is just one of a recent string of higher ed breaches.
Let’s examine what is known to pinpoint why hackers set their sights on these institutions, and what can be done proactively to minimize the attack risk.
University of Virginia was notified of the breach by the FBI, and it’s estimated that this latest breach exposed 1,400 employee records from their HR system. But this was not their first breach. In February 2015, hackers also gained access to the school’s HR system and obtained W-2s and direct banking information of staff members. That breach was found to have started in November of 2014 and went undetected for months, leaving plenty of time for hackers to use or sell the data before anyone realized there had been a breach.
Lack of monitoring = lack of detection and more exposure.
The UVA attack started with an email phishing campaign on staff, where at least one staff member clicked the link in the email and supplied their login and password. While it’s difficult to prevent human error, cyber security awareness is often lacking – especially for staff that are not considered a high risk. The exposure of student medical records at London-based University of Greenwich was caused when a staff member uploaded student records to the University website along with minutes from a Faculty meeting.
Lack of cyber security training and the testing to confirm awareness = staff that is more susceptible to social engineering scams or leaking sensitive data.
University of Central Florida was breached in January. Approximately 63,000 current and former UCF student and staff’s Social Security numbers were exposed, and a class action lawsuit was filed last week, alleging that UCF failed to adequately safeguard this sensitive data. Too often, IT staff is stretched thin, systems may not be patched in a timely manner, outdated security devices are not replaced, and monitoring is missing to detect anomalous behavior.
Pay now, or pay bigger later. If your organization does not proactively follow cybersecurity best practices and meet compliance requirements to protect the data in your care, the legal judgements and fines will be higher.