Email Security For Higher Education: How Can Universities And Colleges Protect Staff And Students From Threats?

One of the key challenges facing higher education institutions is securing their staff and students from email threats, such as phishing attacks and account compromise. These email threats are growing more common and more sophisticated.

Educational providers of all sizes are being targeted, from Fortune 500 companies, to local state colleges. They usually involve attackers using email to send out phishing attacks, to elicit fraudulent payment. These threats put both students and staff at risk, and are costly and time-consuming to combat.

However, while multi-million dollar companies can afford to spend thousands on expert security teams, colleges and universities must deal with complex security challenges on a budget, with money best spent on students and teaching.

In this article, we will cover the major issues challenging universities and colleges around the world, the key systems they need to have in place to solve them, and the considerations higher education institutions must make in order to ensure they can find the right security solutions.

Why are Higher Educational Institutions at Risk from Cyber Security threats?

Colleges and universities have to deal with targeted and sophisticated email security challenges. Email has consistently been the number one entry point for threats, with 90% of breaches beginning with an email attack, such as phishing. For attackers, education institutions are a particularly enticing target for attack.

Vendors in the email security market tell us that in the majority of cases they see, higher education institutions will not have the right security tools in place to stop email threats. There is also often a lack of awareness about threats, among both university staff and students.

On top of this, high value email addresses and contact details of staff and professors are normally publicly available online, allowing attackers to easily target them with phishing attacks, or spoof their domains. It’s also very easy for cyber-criminals to sign up for an education email account, as many colleges and universities allow anyone to create an account to apply for a placement. This provides cyber criminals with a university email address, which they can use for phishing campaigns.

With these different avenues of attack, it’s no surprise that the numbers of attacks we see against colleges and universities continues to grow. Attacks are becoming so widespread that in 2017, the FBI had to issue a warning that college students across the US were being targeted with phishing attacks.  

Higher education institutions are also being threatened with industry specific attacks. Earlier in 2019, nearly 400 universities around the world were targeted by sophisticated nation-state affiliated hackers attempted to steal intellectual property conducted by university researchers.

Colleges and universities also hold sensitive data on students, including personal and financial information, as well as accounts and passwords, which are very valuable for attackers.  For this reason, there are a number of cases of cyber criminals targeting educational organizations to compromise data.

What are the threats facing higher education?

There are two common types of attack that universities and colleges are targeted by. The first are impersonation attacks, in which attackers will pretend to be a trusted account. The second is account compromise, which sees attackers takeover accounts, to send out spam or phishing attacks. Attackers are looking for quick hits, and quick pay-outs, and these types of attack fit the bill perfectly:

Phishing

Phishing is one of the most common attacks facing higher education institutions. A recent report from the Higher Education Policy Institute and JISC, a security provider for higher education, found that there has been an increase in phishing attacks, both in number and in sophistication.

This report urges colleges and universities to improve their protection against scams to reduce the risk of personal staff and student data, as well as research data. Phishing attacks can be very difficult to block. They involve cyber-criminals sending malicious emails which attempt to trick recipients into giving up financial information, or going to a fake website and entering a username and password. In a recent case from the UK, students were told they had been awarded a grant of £1,750, but were taken to a malicious web page, in an attempt to obtain usernames, passwords and credit card details.

This type of attack is difficult to stop, because these emails don’t necessarily contain anything overtly malicious. This means security technologies and virus scanners don’t identify them as being harmful, and they are delivered to inboxes without being stopped. Having the right security solution in place that can effectively block phishing attacks is hugely important.  

The report found that as academic years begin, there is an increase in the number of these phishing emails. Specifically, there has been a rise in ‘Student Grant Fraud,’ where students are sent emails purporting to offer free student grants, or requesting bank details to receive free loans. Of course, these emails are fraudulent, and can cost students thousands.  

Business Email Compromise

One of the other major threats targeting higher education institutes in particular is business email compromise. This is where email accounts are hacked, with account credentials stolen. Cyber criminals will then use the compromised accounts to send out hundreds of spam emails and phishing attempts to everyone else within the institution.

This kind of attack normally originates with phishing, and can rapidly spread. There have been past reports of up to 1.5 million spam emails being sent out from compromised university accounts, after attackers gained access to the staff email server, and we hear from security teams around the world that these attacks are common.

More recently, in June 2019, Oregon State University announced a security incident in which cyber criminals compromised a single employee’s email account, and abused their contact list to send out phishing emails to students and former students around the country. That single account had access to over 636 students and their families, including names birthdays and social security numbers.

This type of attack is more than just a nuisance. It slows down email servers, causes legitimate university emails to be rejected as spam, and can potentially lead to the spread of phishing attacks which can cause financial loss and credential theft. These kinds of attacks are time consuming and difficult to deal with, and can cause problems for staff and students who need to be able to communicate effectively.

The best way to stop these types of attacks is to have a strong email gateway in place, which will identify compromised accounts and stop them sending out malicious emails.

Ransomware

Ransomware is a less common but still potentially very damaging type of attack facing higher educational institutions. Ransomware involves hackers sending out phishing emails that deliver a malware or virus download. If this malware is installed, it rapidly spreads out to other machines, duplicating itself. It encrypts all files and renders computers and laptops affected useless. Hackers will then display a messages, threatening to keep files locked, or delete them, unless a ransom is paid.

For universities and colleges this can be hugely damaging. It presents a very real risk of academic work being lost or destroyed unless huge sums of money are paid. This is true for both student work, and staff research, which could represent hundreds of hours of work and thousands of dollars, if not backed up properly.

There have been numerous examples of this type of attack. In July 2019, cyber criminals succeed in attacking a college system in New York, with a ransomware attack that compromised multiple campuses. The hackers encrypted all of the school’s files, demanding a sum of 170 bitcoin, which at the time was worth about $2 million. This attack caused chaos for the school, with additional costs of paying for the files to be restored, implementing cyber defences, and dealing with student concerns after the attack.

Ransomware happens to universities and colleges regularly, and the best way to prevent them is to implement robust email defences that can stop these threats before they’re executed. Although in some cases files are able to be restored from backups after the ransomware has struck, it’s far better to stop the malware being delivered in the first place.

How Universities and Colleges Can Stop Email Threats

Phishing, ransomware and account compromise are the three biggest threats facing higher education. Here are the best ways that security teams can combat these threats:

Secure Email Gateways

The first step to blocking email threats targeting higher education institutions is to have a strong email security system in place. Email gateways act as a firewall for your email communications. Using threat protection technologies like attachment sandboxing and URL link scanning, email gateways stop ransomware and spam before they are delivered to your users.

With email gateways you can also blacklist and whitelist domains, to stop known harmful accounts from being able to target staff and students. Email Gateways also provide outbound email protection, they are able to stop accounts from sending out spam or phishing attacks based on pre-defined rules. Email gateways can be delivered as a cloud service, on-premise or as part of a hybrid deployment model.

Read: The Top 11 Email Security Gateways

Cloud Email Security

Cloud email security solutions protect users from threats from inside the email inbox. Like gateways, they can filter incoming email, looking for signs of threats like ransomware by picking up malicious links and attachments. But the key threat defence they provide is using machine learning to identity and block phishing attacks, and giving admins the chance to remove these threats, even after they have been delivered.

Many cloud email security solutions will place warning banners on emails which alert users to messages that are potentially harmful. They also allow end-users to report emails which they believe to be suspicious. According to admin policies, this will then remove the email from all other inboxes. Cloud email security solutions solutions work well with cloud based email platforms like Office 365.

Security Awareness Training

Many of the common cyber threats that we see facing higher education institutions come from a lack of awareness about the threats and how stop spot them. Implementing Security Awareness Training for all staff, including those in admin roles, is an important step in combatting email threats, by making sure everyone knows what they look like and how to stop them.

Many Security Awareness Training vendors also provide phishing simulation. This allows admins to create simulated phishing email campaigns and send them out to staff, helping to see where people need more help spotting email threats. Security Awareness Training is delivered as a cloud based service, providing admins with a dashboard to deliver email campaigns.

Read: The Top Security Awareness Solutions For Teams

Summary: Key Questions for Higher Education Security Teams

We’ve covered the major threats that are facing security teams today. What questions should you, as someone making security decisions on behalf of university or college be asking? It may be useful to consider the following three questions.

1. Do you understand the cyber security threats facing further/higher education institutions, and the harm they can cause?
2. Are you aware of how vulnerable your organization is to cyber security threats?
3. Have you got the right cyber security technologies and best practices. in place to stop attacks from reaching your organization?

Considering these factors will help you to know how strong your cyber security defences are and how equipped your organization is to deal with cyber threats.