4 Reasons Cyber Criminals Are Targeting Higher Education: Part 1

Before COVID-19 hit, colleges and universities typically had sound online security policies and provisions in place to protect against cyber threats. But after pandemic restrictions were put into place and schools had to quickly change their teaching and learning models, transforming into online learning institutions in days, higher education institutions across the country were forced to re-visit their cyber security strategies.

As a result, many universities and colleges were caught unprepared for the massive shift to remote teaching and learning. They discovered the hard way that they weren’t able to adequately safeguard students, staff and the institution itself from cyberattacks or protect the school’s intellectual property and data from being compromised.

Colleges and universities present a wealth of opportunities for cyber criminals. The market is enormous. There were 19.7 million college students in the U.S. in the fall of 2020, according to National Center for Education Statistics data. In addition to the students, attackers also look to target faculty members, parents and third-party service providers. In general, cybercriminals are becoming increasingly sophisticated, sneaky, and aggressive and they’re using a mixture of new and tried-and-true and methods like ransomware and malware to go after potential victims. And it’s no wonder these bad actors are working so hard: the rewards can be enormous.

1. Financial profit: The most obvious benefit is financial. Ransomware attacks, where an attacker installs malware that encrypts a victim’s files and essentially holds them hostage and then demands payment to restore access to the information, can yield big payoffs. This past year, the University of California – San Francisco revealed that it paid a $1 million ransom after an attack on its School of Medicine, and The University of Utah paid more than $450,000 in ransomware when criminals attacked its servers. Hackers can also directly attack payment systems. In some cases, a hacker can get into and impersonate a school’s accounts payable systems and extract money from students and their parents.  
2. Data theft: Universities have enormous data stores, that house information including the personal information of students, staff, providers and vendors like addresses, telephone numbers and even sensitive data like medical records. Criminals that hack into college systems can then use the information to exploit or extort individuals or even the entire school. The situation becomes even more complicated when hackers get into admissions department systems, which might store the social security numbers and academic information of students the school is trying to recruit.
3. Espionage: Many colleges and universities are research institutions and theft of intellectual property, especially in critical areas like medicine or engineering, for instance, can inflict severe damage and yield real results for attackers. Attackers can get information on research findings that they can then sell to competitors or even other countries to influence their economies or policies. Attackers can hold the information hostage and demand a ransom paid for its release. An attack can also simply throw a wrench into the projects by restricting researchers from accessing their data and slowing or halting the progress of studies. 
4. Distributed Denial-of-Service (DDoS) attacks: DDoS attacks are a sort of cyber shock and awe assault on a school’s systems. The criminals typically flood a specific device or network with an overwhelming amount of traffic, causing it to crash and disrupting services either temporarily or indefinitely. In general, DDoS attacks come from multiple sources and are difficult to contain since schools can’t simply block a single attacker. DDoS attacks are particularly nefarious because they may be carried out to exact revenge against an institution, slow down the institution, costing money and time, or even as a distraction while the attackers perpetrate additional attacks.

Higher education institutions may have found they needed to focus more heavily on cybersecurity after their quick pivot into remote and online learning. However, beefing up security is always a good idea, during COVID and after.