A recent report from BitSight Technologies entitled “Powerhouses and Benchwarmers: Assessing Cyber Security Performance of Collegiate Athletic Conferences” has found that leading colleges and universities across the U.S. are at even greater risk of security breaches than the retail and healthcare sectors.
“From Social Security and credit card numbers to health records and intellectual property produced by research departments, colleges and universities house a vast amount of sensitive data,” BitSight co-founder and CTO Stephen Boyer said in a statement. “While not surprising given the unique challenges universities face securing open campus networks, it’s concerning to see that they are rating so far below other industries that we’ve seen plagued by recent security problems.”
The company’s BitSight Security Ratings, which range from a low of 250 to a high of 900, use publicly available data to rate an organization’s security performance on a daily basis. The Security Ratings of the colleges and universities BitSight surveyed average around 600, far below the average for retail and healthcare — and when students are on campus, from September to May, schools see an average of a further 30-point drop in Security Ratings.
“University cyber security is a complex game that involves juggling a high volume of open network access points, diverse technology needs, multiple compliance and regulatory measures and the protection of high value information, such as student and faculty data or even sensitive intellectual property,” the report states. “It is no wonder that these organizations often drop the ball.”
Still, some colleges and universities perform well above the aggregate ratings for other industries. The report notes that all such schools, those with a Security Rating of 700 or higher, have a CISO or Director of Information Security on staff. “These schools should serve as an example for other colleges to benchmark their performance against,” Boyer said.
Recent high-profile breaches at U.S. colleges and universities include a cyber attack on the University of Maryland on February 18, 2014, which exposed more than 300,000 faculty, staff and student records; a March 2014 breach at the University of North Carolina that exposed an undisclosed number of students’ and employees’ names, addresses and Social Security numbers; and the theft of 163,000 student, alumni, applicant, faculty and staff records from Butler University in May 2014.
And earlier this month, Weber State University student Joseph W. Langford was charged in connection with breaches of university and faculty computers. “What we know is he hacked into some computers,” university spokesperson Allison Hess told the Deseret News. “We haven’t gotten any indication he used the information to get into any financial or other personal information, but we don’t know for sure.”
Weber State University says the information of 1,200 people who used the breached computers between January and April 2014 may be at risk.
“As with any large institution, we have so many students and faculty and staff and computers and we access so much technology, we have to be constantly vigilant with the security,” Hess said.