Protect Personal, Institutional Data from Cyberattacks

BOSTON — If your institution falls prey to a cybersecurity attack, it risks not only potential reputational damage and financial loss but also lawsuits claiming breach-of-contract or failure to comply with privacy policies/laws. To help higher education professionals protect themselves and their institutions from cyberattacks, Ron Barthel, senior director of cybersecurity training and awareness at Teachers Insurance and Annuity Association of America, gave a presentation at the annual conference for the National Association of Student Personnel Administrators—Student Affairs Administrators in Higher Education. Higher ed is “one of the most targeted industries,” Barthel noted. At least 44 universities or colleges and 45 U.S. school districts were hit by ransomware attacks last year, which is a 43% increase since 2021, and 81% of educational institutions reported malware encounters. The average cost of a data breach in the education industry is $3.79 million, and the average cost of ransomware attacks in education is estimated at $2.73 million, which is 48% above the global average and the highest among 13 industries, Barthel added. Because 82% of cyberattacks involve the human element, and 65% of organizations are seeing an increase in cyberattacks due to remote work, it's critical to raise awareness among all members of your campus community. “None of us can assume we're safe at work or at home. We're all under threat now. The attacks are real and have real impacts,” Barthel said, and the problem is only poised to get worse because higher ed “is an easy target.” Academic credentials are for sale, which allows outsiders to access your network, which houses research intelligence, student and employee data, patient medical records and special equipment and labs—all of which cybercriminals can monetize, Barthel stressed. Despite this risk, colleges and universities have a track record of historically lower spending on cybersecurity than the private sector does. Cybercriminals are after your identity (i.e., name, address, social security number, date of birth, phone number and driver's license information), your access (i.e., your passwords, email, online accounts and answers to your security questions), your money and your reputation (via ransomware exploitation, and fraudulent tax returns, money transfers and applications for credit cards and loans), Barthel warned. Most (90%) data breaches occur with phishing (via email), which tricks you into clicking on links to fake log-in pages for accounts, and other methods include vishing (via phone call) and smishing (via text), in which you're lured in by provocative photos or requests to buy gift cards, for example, Barthel explained. In “double-barrel attacks,” cybercriminals build familiarity by phone and then send a follow-up email with links, he added. Report personal or institutional attacks. When something doesn't seem right, don't engage, report the matter and block the sender. Contact the Federal Bureau of Investigation (800-CALL-FBI or bit.ly/3Wc5KZ4), the Department of Justice (833-372-8311), the Federal Trade Commission (877-438-4338) or the Social Security fraud hotline (800-269-0271). This article originally appeared in Campus Legal Advisor, a sister publication to Women in Higher Education.