A recent report, Cyber Criminals, College Credentials, and the Dark Web from Digital Citizens Alliance (DCA), confirms what has long been feared: The problem of hackers stealing the usernames, passwords, and personal information of students and faculty from colleges and universities and selling this information on the dark web is greater than most realized.
Over eight years, researchers at ID Agent, GroupSense, and Terbium Labs joined DCA to review the availability of credentials from the 300 largest higher education institutions (HEIs) in the United States. The report found that a staggering 13.9 million email addresses and passwords of faculty, staff, students, and alumni were bought and sold on the dark web.
Although the report points out that state-sponsored cyber attacks on HEIs have somewhat declined, HEI’s remain a high-value target of hacktivists and cyber vandals. This is because of the variety of data and personally identifiable information (PII) available through HEIs that can be extracted for financial gain, including medical records, credit card and financial information, intellectual property, and research with businesses and government agencies.
The Cybersecurity Poverty Line
In addition to the volume of available information, HEIs remain especially vulnerable to hackers because of a lack of allocated security funds and limited IT staff resources. This lack of resources often means that HEIs are below the “cybersecurity poverty line,” a measurement that determines whether an organization is adequately investing in protecting user and institutional data. Throw in password fatigue and the fact that students are easy targets for phishing scams, and it’s not hard to see why universities are a prime target for hackers.
The Case for Stronger Identity and Access Controls
Beyond strengthening networks, security, and budgets, the report claims that many attacks begin with end-users. Education must step up security with stronger identity and access controls that close gaps in security and ensure that unauthorized personnel cannot access HEI systems and data.
The report highlights several ways to combat hackers:
- Create separate networks for critical systems: If hackers attack one system, the other systems will be unaffected and safe.
- Keep current with patches: Staying up to date can mean the difference between staying ahead and being left behind—and being hacked.
- Offer education about creating robust passwords: Teaching students how to create strong passwords for their college email accounts is the first step in HEI cybersecurity practice.
- Test faculty, staff, and students to see who clicks bad links: Hackers often target college students with phishing emails that entice students with offerings of work opportunities and easy money. Phishing simulations can help train students to avoid clicking on these links, and the involvement of faculty and staff will show how anyone can fall for a phishing scam if they’re not looking for the warning signs.
The Importance of MFA at HEIs
The article also makes the case that it’s time for HEIs to incorporate multifactor authentication (MFA) into their security plans. MFA adds an extra layer of protection by requiring users to verify their identities using at least two of the following authentication factors:
By implementing additional authentication factors in addition to or in place of passwords, even if a student or faculty member falls victim to a phishing scam and has his or her username and password credentials stolen, access to that person’s accounts and sensitive data would still be protected.
Furthermore, by implementing strong, adaptive authentication, HEIs can adapt the level of authentication based on the risk level of a given situation—for example, requiring more stringent authentication when a staff member accesses sensitive, student financial data than when accessing systems that do not contain PII. By implementing adaptive authentication for faculty and staff, HEIs can avoid making low-risk activities inappropriately burdensome and high-risk activities too easy.
HEIs can also leverage students’ existing smartphones to implement cost-effective authentication methods, such as time-based one time password (TOTP), short message service (SMS), or fingerprint biometrics. Not only do these authentication technologies help protect sensitive data, such as health records, financial information, and other PII, but these systems are easy to implement and easy for students to use—even when they’re busy in school.
The findings of this report should be a wake-up call for colleges and universities. Now’s the time to make authentication projects a priority. As the study shows, every day you wait to step up security measures is another day your organization and student data are exposed.
Implementing adaptive authentication and smartphone-based authentication as part of a comprehensive identity and access management solution is a critical step in protecting your organization’s and users’ sensitive data from today’s more sophisticated threats. These solutions are affordable and worth the investment in the long run, all while providing a better user experience for students, faculty, and staff.