Higher Ed has until June to Graduate their Cyber Security… Or Else!
When we talk about cyber security in education, it is not only for K through 12. Universities are an unfortunate target for cyber criminals as well. Especially those that are smaller with fewer resources. As with small businesses, non-profits, and smaller city and county governments, most resources at a regional college or university are often stretched to the limit for academic use. Therefore, they are less likely to have robust cyber security programs.
In the very places where we need to cultivate the future talent of cyber security practitioners, we are not protecting them with the very skills they are taught. Unfortunately, this has serious implications for the students, the universities, and their alum.
In just 2022, we know of at least 35 US colleges and universities hit with ransomware attacks. These include North Idaho College, Florida International University, North Carolina A&T University, Savannah College of Art and Design, and even Grand Valley State University in Michigan, which offers a degree in cyber security.
Stratford University in Virginia was hit with three ransomware attacks in 2022 alone! Then in August, the administration announced that the school would close at the end of the fall semester due to accreditation and finance issues. However, the fact that financial issues were part of the decision seems connected to having been attacked many times. At the very least, it indicates that once they were attacked, they did not take appropriate measures to shore up their defenses, allowing two additional attacks.
While Stratford had been open since 1976, another small college with a historic legacy faced a similar fate. Lincoln College in Illinois, named after the President who ended slavery, had opened in 1865. The historically black college or university (HBCU) administration cited the many challenges it had overcome in its 157-year-existence from economic crises, fires, wars, and pandemics (1918 and 2020). This time, however, the challenges of the pandemic necessitated exponentially accelerating the transition to remote learning and dependence on technology to survive. While holding on by a thread, the unthinkable happened when a ransomware attack hit Lincoln College in December of 2021, which made all systems for registration, academic files, finance, admissions, and fundraising inoperable.
College President David Gerlach stated that the school’s IT director assured him four months before the attack that they “were all protected” after another local college had been attacked. They were not.
In November, Xavier University in Louisiana, the only Catholic HBCU, fell victim to a cyber attack in which the personal information of over 44,000 students and vendors was breached.
Last week, another ransomware attack hit Mount Saint Mary College in New York.
The HBCU schools that help people to become educated and give back to their communities are doing good work. However, there are always bad people out there who will hurt anyone if it helps them to make a dollar. To that end, it is a critical function of these school administrators to ensure their systems, data, and operations are protected. Otherwise, they may be the next to have to close their doors for good.
Most of these institutions rely on financial aid programs and do not have the extra resources to implement network security programs to protect their vital information and systems.
To help these institutions implement the proper controls, the U.S. Department of Education has notified all institutions of higher education that handle federal financial aid data that they have until June 09, 2023, to comply with the Gramm-Leach-Bliley Act (GLBA) Cybersecurity Requirements for safeguarding customer information (student data) as relates to Federal student financial aid programs (Title IV programs).
The requirements of the GLBA include administrative, technical, and physical safeguards of student financial aid data. Comprehensive programs must include nine elements that address the following:
- Designation of a qualified, responsible individual to implement the program
- A risk assessment
- Implementation of safeguards to control the risks
- Regular testing/monitoring
- Policies and procedures
- Plan for oversight of service providers
- Continuous review of any changes that impact the information security program
- Incident response plan
- At least annual reporting to the institution on the information security program