Higher Education: Critical Infrastructure and the Dark Cloud of Cyber Threats

The Department of Homeland Security (DHS) has identified 16 sectors that have been determined to be designated as critical infrastructure due to the debilitating effect on security, national economic security, national public health or safety, or any combination that would result from any of these sectors being compromised.

Included in this list of 16 is the Government Facilities Sector, which covers, “a wide variety of buildings, located in the United States and overseas, that are owned or leased by federal, state, local, and tribal governments.” Wrapped up in this sector is the Education Facilities Subsector, which covers schools that house pre-kindergarten through 12^th grade, institutions of higher education, as well as business and trade schools.

An increased reliance on the digitization of education has left the subsector more vulnerable to cyberattacks, and it is difficult to quantify the consequences of a compromise. Examining the important role higher education plays in the infrastructure of the United States can’t be done without recognizing how crucial the data is that these institutions house on their networks. The sensitivity and importance of this data makes security essential for this industry not only in the United States, but worldwide.

Consequences of Compromised Education Data

Due to our increasing reliance on data, and the interconnectedness of networked systems, the consequences of compromised critical infrastructures are more severe than ever. At the level of higher education, there are data of all types floating around on their servers. While the trend towards digitization has allowed university networks to be more open and accessible for students and staff, there is a catch.

The battle against cyberattacks is a global issue, and data that higher education networks house is in high demand. Personal data and sensitive university research data has great value to those who are outside the network, and are willing to access it at any cost. According to a VMware report, nearly 8 in 10 universities in the United Kingdom have experienced damage to their reputation due to a breach, and nearly three quarters of these universities have had to put the brakes on a valuable research project as the result of an attack.

If higher education institutions are compromised, data that has the ability to advance society in a positive way could fall into the wrong hands and held for ransom, stolen for use by others, or lost entirely.

Identifying the Vulnerability

According to University Business Magazine, higher education institutions have been the victim of 539 breaches involving nearly 13 million known records since 2005. Symantec reported in their 2016 Internet Security Threat Report that education was tied with the business subsector as the 2^nd most breached sub-sector. While there has been a race amongst higher education institutions to become more open, there are serious drawbacks to this strategy.

Large universities resemble complex enterprises that consist of thousands of users and applications, and tiers of users, from students and faculty to administration and research facilities, and they need to find cost effective ways to protect their networks. These networks have been stretched to meet the demands of students and staff while being developed within a budget determined by both state and federal governments. At the same time, the attack surface continues to grow wider and weaker, making it a more appealing target for cybercriminals around the world.

Openness is rightfully a primary concern for higher education institutions, and security has suffered as a result. With the threat landscape growing at a rapid rate, IT departments and university processes need to be revamped as a counter-measure.

There is a way forward, however. Indiana University, for example, was able to address this challenge by consolidating their security solutions while expanding bandwidth and improving the manageability of their network. IT was made a priority rather than treating it like the back-office operation that it had been in the past.

Meeting Demands of Students and Staff

According to research, students spend more than 140 hours per week on their connected devices, and 40 percent of higher education students want to use mobile technologies more than they already do. In order to keep up with these demands, increased bandwidth is a must. The path to achieve this is not as clear, but the development of Internet2 has been a good sign. In 2010, Internet2 announced the world’s first 100 Gigabit Ethernet network. Consider that a look into the future of higher education networks.

However, higher education institutions will be hard-pressed to continue to meet the growing demands of students and staff while still fully protecting their data. It certainly can’t be done with current budget constraints and network technology limitations. The security systems of the past are being stretched so thin that even novice cybercriminals are able to break through.

Expanded security capabilities need to become the norm in higher education if such a critical part of the country’s infrastructure is going to stay intact. There needs to be an increased focus on remaining open while maintaining a strong and flexible security footing, but such an expectation must be met with technological advancements designed to enable them.

The Bottom Line

Meeting the evolving security requirements for higher education institutions is a responsibility that must be accepted by those with the capacity to maintain them.

Keeping higher education institution’s server data secure means protecting the intellectual property of the brightest minds in the country. Fortinet Education Solutions are cost-efficient, while providing protection for all devices and data on the network at the highest level. For higher education institutions to meet their evolving goals, security requirements must be treated as a priority at the institutional level in order for there to be larger success at a national level.