Parents have plenty of things to worry about when they send their kids off to college: money, physical safety, their happiness, empty-nest syndrome, their future. Do they now have to worry about identity theft and data security, too?
In a word, yes. Colleges and universities have been the target of phishing scams for years. And while they continue to get better at dealing with information security threats, the ways our institutions of higher learning defend themselves against cybercriminals are as myriad as the forms of cyberattacks they face.
As with most hackers, the motivation of these social engineering scammers has ranged from financial gain to accessing secure data and research information. Analyzing the tactics, techniques and procedures (TTPs) of cybercriminals will help institutions understand who is targeting them, what the criminals want, and the methods they will likely use to gain unauthorized access.
But understanding the tactics and techniques of hackers doesn't always mean that their procedures can be detected. The higher education phishing scam of 2014 demonstrated the savvy methods behind some of these breaches.
The perpetrators had created sophisticated replicas of the university logos and used a range of salary-specific messages in the subject lines, which led to many employees believing that the messages were from a trusted source.
Hundreds of employees at academic institutions across the country had unwillingly invited criminals into their networks. Accepting as true that their employers were requesting their banking information, they shared private data that allowed the criminals to access their bank accounts and steal their paychecks.
Many institutions were able to thwart what could have been greater disaster because of the shared security information they received. "Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) is a commonly relied-upon source of information for the higher ed sector," says Steve Nyman, CISO at Dartmouth College.
According to the EDUCAUSE Center for Analysis and Research (ECAR), which provides research and analysis about information technology in higher ed for IT professionals and higher ed leaders, the willingness of colleges and universities to share security and breach information helps to reduce the number of stolen records.
Culture of openness can be costly
"Many speculate that higher education's culture of openness and transparency encourages breach reporting by institutions, even when such reporting is not legally necessary. This culture does not exist in other industry sectors, where breach reporting could damage an organization's ability to be competitive in that industry," notes a 2014 ECAR report "Just in Time Research: Data Breaches in Higher Education."
"As an industry, education has some of the lowest counts of records exposed per breach incident -- the number of reported breaches in the education industry does not mean more records containing personally identifiable information are being compromised," the ECAR report states.
Sign up for Computerworld eNewsletters.