Universities fail to get to grips with cyber security
As thousands of students prepare to return to university over the next few weeks, new research by security ratings company BitSight shows that this is a busy time for hackers too.
The researchers found that Ivy League schools, for example, see a 48 percent increase in the number of malware infections during the academic year from September to May.
In order to assess the security performance of American higher education institutions the research focuses on major collegiate athletic conferences. It finds that the security ratings for these conferences are considerably below those of retail and healthcare organizations.
Perhaps not surprising then that higher education institutions experience high levels of malware infections, the most prevalent infection coming from the Flashback malware, which targets Apple systems. Flashback accounted for 37 percent of infections seen in Ivy League universities and over 26 percent in SEC schools, pointing to the popularity of Apple systems among students. Other prominent malware detected includes Conficker, accounting for 21.7 percent of Ivy League infections.
Another interesting finding is that security ratings drop over the course of the academic year as students introduce insecure devices to school networks.
Universities have to comply with a number of different regulations but the report's findings suggest that compliance doesn't equate to security. The schools that achieved the best security ratings all had a dedicated CISO or Director of Information Security, showing that taking security seriously leads to better performance.
The report's authors note that, "Students and faculty have diverse IT needs that require multiple access points and large often unrestricted networks. In order to effectively prioritize security on campus networks, security teams need expanded visibility into their current network vulnerabilities and quantitative benchmarks to compare against. Only when information security moves out of the IT department and becomes an institutional strategic priority will higher education organizations effectively create an environment that secures sensitive personally identifiable information and intellectual property data".
They conclude that better monitoring and benchmarking of security performance is where universities need to start to improve their performance.
You can find out more about how BitSight measures security performance on the company's website.