One of the key challenges facing higher education institutions is securing their staff and students from email threats, such as phishing attacks and account compromise. These email threats are growing more common and more sophisticated.
Organizations of all sizes are being targeted, from Fortune 500 companies, to local state colleges. They usually involve attackers using email to send out phishing attacks, to elicit fraudulent payment. These threats put both students and staff at risk, and are costly and time-consuming to combat.
However, while multi-million dollar
companies can afford to spend thousands on expert security teams, colleges and universities
must deal with complex security challenges on a budget, with money best spent
on students and teaching.
In this article, we will cover the major issues challenging universities
and colleges around the world, the key systems they need to have in place to
solve them, and the considerations higher education institutions must make in
order to ensure they can find the right security solutions.
Why are Higher Educational Institutions at Risk from Cyber Security threats?
Colleges and universities have to deal with targeted and
sophisticated email security challenges. Email has consistently been the number
one entry point for threats, with 90% of breaches beginning with an email
attack, such as phishing. For attackers, education institutions are a
particularly enticing target for attack.
Vendors in the email security market tell us that in the majority of cases they see, higher education institutions will not have the right security tools in place to stop email threats. There is also often a lack of awareness about threats, among both university staff and students.
On top of this, high value email addresses and contact details of staff and professors are normally publicly available online, allowing attackers to easily target them with phishing attacks, or spoof their domains. It’s also very easy for cyber-criminals to sign up for an education email account, as many colleges and universities allow anyone to create an account to apply for a placement. This provides cyber criminals with a university email address, which they can use for phishing campaigns.
With these different avenues of attack, it’s no surprise that the numbers of attacks we see against colleges and universities continues to grow. Attacks are becoming so widespread that in 2017, the FBI had to issue a warning that college students across the US were being targeted with phishing attacks.
Higher education institutions are also being threatened with
industry specific attacks. Earlier in 2019, nearly 400 universities around the
world were targeted by sophisticated nation-state affiliated hackers attempted
to steal intellectual property conducted by university researchers.
Colleges and universities also hold sensitive data on
students, including personal and financial information, as well as accounts and
passwords, which are very valuable for attackers. For this reason, there are a
number of cases of cyber criminals targeting educational organizations to compromise
What are the threats facing higher education?
There are two common types of attack that universities and colleges are targeted by. The first are impersonation attacks, in which attackers will pretend to be a trusted account. The second is account compromise, which sees attackers takeover accounts, to send out spam or phishing attacks. Attackers are looking for quick hits, and quick pay-outs, and these types of attack fit the bill perfectly:
Phishing is one of the most common attacks facing higher education institutions. A recent report from the Higher Education Policy Institute and JISC, a security provider for higher education, found that there has been an increase in phishing attacks, both in number and in sophistication.
This report urges colleges and universities to improve their protection against scams to reduce the risk of personal staff and student data, as well as research data. Phishing attacks can be very difficult to block. They involve cyber-criminals sending malicious emails which attempt to trick recipients into giving up financial information, or going to a fake website and entering a username and password. In a recent case from the UK, students were told they had been awarded a grant of £1,750, but were taken to a malicious web page, in an attempt to obtain usernames, passwords and credit card details.
This type of attack is difficult to stop, because these emails don’t necessarily contain anything overtly malicious. This means security technologies and virus scanners don’t identify them as being harmful, and they are delivered to inboxes without being stopped. Having the right security solution in place that can effectively block phishing attacks is hugely important.
The report found that as academic years begin, there is an increase in the number of these phishing emails. Specifically, there has been a rise in ‘Student Grant Fraud,’ where students are sent emails purporting to offer free student grants, or requesting bank details to receive free loans. Of course, these emails are fraudulent, and can cost students thousands.
Business Email Compromise
One of the other major threats targeting higher education institutes in particular is business email compromise. This is where email accounts are hacked, with account credentials stolen. Cyber criminals will then use the compromised accounts to send out hundreds of spam emails and phishing attempts to everyone else within the institution.
This kind of attack normally originates with phishing, and
can rapidly spread. There have been past
reports of up to 1.5 million spam emails being sent out from compromised university
accounts, after attackers gained access to the staff email server, and we hear from security
teams around the world that these attacks are common.
More recently, in June 2019, Oregon
State University announced a security incident in which cyber criminals
compromised a single employee’s email account, and abused their contact list to
send out phishing emails to students and former students around the country. That
single account had access to over 636 students and their families, including names
birthdays and social security numbers.
This type of attack is more than just a nuisance. It slows
down email servers, causes legitimate university emails to be rejected as spam,
and can potentially lead to the spread of phishing attacks which can cause financial
loss and credential theft. These kinds of attacks are time consuming and
difficult to deal with, and can cause problems for staff and students who need to
be able to communicate effectively.
The best way to stop these types of attacks is to have a
strong email gateway in place, which will identify compromised accounts and
stop them sending out malicious emails.
a less common but still potentially very damaging type of attack facing higher
educational institutions. Ransomware involves hackers sending out phishing
emails that deliver a malware or virus download. If this malware is installed,
it rapidly spreads out to other machines, duplicating itself. It encrypts all files
and renders computers and laptops affected useless. Hackers will then display a
messages, threatening to keep files locked, or delete them, unless a ransom is
and colleges this can be hugely damaging. It presents a very real risk of academic
work being lost or destroyed unless huge sums of money are paid. This is true
for both student work, and staff research, which could represent hundreds of
hours of work and thousands of dollars, if not backed up properly.
There have been
numerous examples of this type of attack. In July 2019, cyber criminals succeed
in attacking a college system in New York, with a ransomware attack that
compromised multiple campuses. The hackers encrypted all of the school’s files,
demanding a sum of 170 bitcoin, which at the time was worth about $2 million. This
attack caused chaos for the school, with additional costs of paying for the
files to be restored, implementing cyber defences, and dealing with student concerns
after the attack.
happens to universities and colleges regularly, and the best way to prevent
them is to implement robust email defences that can stop these threats before
they’re executed. Although in some cases files are able to be restored from
backups after the ransomware has struck, it’s far better to stop the malware being
delivered in the first place.
How Universities and Colleges Can Stop Email Threats
Phishing, ransomware and account compromise are the three biggest
threats facing higher education. Here are the best ways that security teams can
combat these threats:
Secure Email Gateways
The first step to blocking email threats targeting higher education
institutions is to have a strong email security system in place. Email gateways
act as a firewall for your email communications. Using threat protection technologies
like attachment sandboxing and URL link scanning, email gateways stop ransomware
and spam before they are delivered to your users.
With email gateways you can also blacklist and whitelist domains, to stop known harmful accounts from being able to target staff and students. Email Gateways also provide outbound email protection, they are able to stop accounts from sending out spam or phishing attacks based on pre-defined rules. Email gateways can be delivered as a cloud service, on-premise or as part of a hybrid deployment model.
Read: The Top 11 Email Security Gateways
Post-Delivery Protection solutions protect users from threats from inside the email inbox. Like gateways, they can filter incoming email, looking for signs of threats like ransomware by picking up malicious links and attachments. But the key threat defence they provide is using machine learning to identity and block phishing attacks, and giving admins the chance to remove these threats, even after they have been delivered.
Many post-delivery protection solutions will place warning banners on emails which alert users to messages that are potentially harmful. They also allow end-users to report emails which they believe to be suspicious. According to admin policies, this will then remove the email from all other inboxes. Post-Delivery Protection solutions work well with cloud based email platforms like Office 365.
Security Awareness Training
Many of the common cyber threats that we see facing higher
education institutions come from a lack of awareness about the threats and how stop
spot them. Implementing Security Awareness Training for all staff, including
those in admin roles, is an important step in combatting email threats, by
making sure everyone knows what they look like and how to stop them.
Many Security Awareness Training vendors also provide
phishing simulation. This allows admins to create simulated phishing email
campaigns and send them out to staff, helping to see where people need more help
spotting email threats. Security Awareness Training is delivered as a cloud
based service, providing admins with a dashboard to deliver email campaigns.
Summary: Key Questions for Higher Education Security Teams
We’ve covered the major threats that are facing security teams
today. What questions should you, as someone making security decisions on
behalf of university or college be asking? It may be useful to consider the
following three questions.
- Do you understand the cyber security threats
facing further/higher education institutions, and the harm they can cause?
- Are you aware of how vulnerable your organization
is to cyber security threats?
- Have you got the right cyber security technologies
and best practices. in place to stop attacks from reaching your organization?
Considering these factors will help you to know how strong
your cyber security defences are and how equipped your organization is to deal
with cyber threats.