Cutting-edge research institutions need cutting-edge cybersecurity to protect their IP and critical personal and financial data. Universities hold vast repositories of valuable information, including student healthcare information, patient information from academic medical centers, and financial and personal data from applicants, donors, students, faculty, and staff. So it’s no surprise hackers have been targeting universities lately—in fact, at least eight American universities (including Harvard, UC Berkeley, University of Maryland, and Indiana University) have announced cyber intrusions over the past two years.
With the cost of a data breach averaging $3.8 million,[1] universities cannot afford to pretend cybercrime won’t happen to them. For institutions with health records, the financial costs can be even greater (as high as $360 per record!), due to the high value of health records on the internet’s black market, the “Dark Web.”
But, the dollars may not mean as much as the bad PR—having your institution’s name in national headlines, risking research funding from governments or corporate partners, losing protected and sensitive IP, fielding calls from angry donors, students, and parents whose personal information has been compromised, and defending multiple civil suits—all because the institution failed to assess its cyber liability. (See additional information on assessing cyber liability).
For major research institutions holding valuable IP, health records, and grants for sensitive research, having a cybersecurity prevention and remediation plan is more than just a good idea, it’s an absolute must. And these cybersecurity measures must extend beyond mere “compliance.” The Federal Government will continue to create cybersecurity regulations, but their regulations never will keep up with the risks. A university’s administration answers to the Federal Government, to its Board, to its donors, to the media, to its students and faculty, and to the general public. None of these constituencies will be calmed by minimal compliance with outdated regulations.
Instead, universities can address their cybersecurity risks with some initial measures to prevent intrusions and to minimize the damage if a hacker does get through:
-
Protections against Insider Threats: Attacks by insiders accounted for more than 50% of the cyberattacks in 2014. To help mitigate these threats, create an insider threat team and build a holistic approach to security—include staff from IT and technology, legal, physical security, and human resources. Emphasize training of employees, faculty, and administrators in basic cybersecurity awareness to instill habits that will better protect the institution.
-
Enhance Network Security Policies and Procedures: Implement security precautions to make a hack more difficult. For example: create enhanced protocols to prevent unauthorized access to devices and systems, including multi-factor authentication; provide broad and frequent updates to computers on-campus and for computers that regularly access campus networks; and prevent access to compromised sites by incorporating controls into your network.
-
Cyber Intrusion Testing: Work with a vendor to test the institution’s current cybersecurity vulnerabilities and get advice on how to reduce those vulnerabilities.
-
Corrective Action Plan: —one that includes disclosure and mitigation efforts. Importantly, if an institution holds government contracts or grants, follow the required disclosure protocols for cyber intrusion (note that agencies may differ in their disclosure and mitigation requirements).
-
Cyber Insurance: —particularly those with academic medical centers and/or sensitive research programs—should ensure their policies are large enough to cover a worst-case scenario.While a comprehensive cybersecurity plan will require additional systematic and long-term efforts, taking these steps will at least keep an institution off of a hacker’s list of “low-hanging fruit.”
[1] Ponemon Institute, Cost of Data Breach Study (2015). Note this average does not include mega-breaches like those experienced by Home Depot, Target, or Sony Pictures.