What Colleges and Universities Need to Know to Improve Cybersecurity

Bryan Christ

November 9, 2022

The back-to-school season is typically an exciting time for most, but what comes next for higher education institutions often leads to headaches. Before students reach campus or sign on remotely, the college or university has to onboard thousands of new identities to its digital ecosystem. 

The bulk onboarding and offboarding of users can be a time-consuming burden, and it also introduces a significant risk. According to Verizon’s Data Breach Investigations Report, educational services saw a dramatic increase in ransomware attacks this year (accounting for more than 30% of all breaches), but the use of stolen credentials is the most common cause of a data breach at roughly 40%. 

Human error is pervasive in the education sector; 34% of it stems from emails sent to the wrong people, or with the wrong attachment, according to the report. Email is a common attack vector for a breach because data is often sent carelessly. Users fall victim to social engineering and phishing scams, allowing threat actors to get in the door.

Once threat actors gain access, they move laterally through the institution’s network conducting reconnaissance until they get their hands on something significantly privileged. Then they exfiltrate the data, encrypt it, and demand ransom. According to Verizon’s report, the motive is financial in 95% of breaches in the education space. 

Recent cases show just how dangerous this can be for institutions. In England, the parent of a City College Norwich student was mistakenly sent an attachment with the personal information of hundreds of people associated with the college. In June, California’s Simpson University published a disclosure 10 months after a data breach occurred in which email accounts were compromised and personal information like health data, social security numbers, and banking information were at risk for more than 6,000 people, according to reports.

Educational institutions need improved identity access management (IAM) to help them keep risk low without sacrificing user experience in core systems like email. 

Let’s take a look at some of the challenges higher education institutions face, what IAM solutions are available now, and what’s on the horizon.

Campuses are connected, but not unified

Few challenges are exclusive to a single industry, sector, or vertical but higher education has a short list of common challenges. One of the biggest pain points for colleges and universities is when a user has overlapping roles or secondary affiliations. What does that mean for their online identity? 

Let’s say a student has a part-time job through the school, or is considered an adjunct for a particular course. Their user profile will need to reflect that and necessitate more permissions than the average student would have. The end result is often overly broad permissions for users with multiple affiliations. And what if that temporary role as an adjunct ends with the semester? There is a risk of disabling access and entitlements even though some should still remain. In fact, identifying those multiple-role users is a common challenge. 

It is difficult for institutions to pinpoint those special-case users, in part, due to disparate directories. For instance, student identities may be in a siloed system that’s different from faculty or alumni. It’s common for there to be pockets of technology spread throughout the university since different departments launch their own highly customized systems that aren’t always governed by IT. 

The technology sprawl leaves IT administrators needing a way to compile all available data in a unified view, filter out the bad data that’s often forgotten in systems, and identify unique entitlements that may only be used for a small portion of the institution’s total users. 

Today’s IAM landscape

Keeping identities and credentials secure is a growing challenge. In the first half of 2022, there were 7,136,948 victims of 10 data exposures, according to the Identity Theft Resource Center

It is especially important to prioritize IAM in higher education because of the unique challenges with batch onboarding processes. According to the Ponemon Institute’s State of Enterprise Identity research, 84% of organizations lack a mature IAM program and 52% of those that suffered a breach in the last two years report that it was due to a lack of comprehensive identity controls or policies. 

Imagine that a university is hosting a two-day conference and needs to quickly onboard 1,000 transient users and provide access for the duration of the event. When the conference ends, those entitlements need to vanish so the university doesn’t have an unnecessarily large attack surface. 

Legacy IAM solutions can’t handle that scenario very well. It’s hard to automate the provisioning and de-provisioning of all those users without surefire integration paths between the database of temporary identities and the resources they’ll need to access. 

Many institutions that use an open-source, legacy, or homegrown access management system will be quickly overwhelmed. Instead, institutions need a partner that can offer flexibility, scalability, efficiency, and governance.

Passwordless or change your password less?

The IAM industry has turned “passwordless” into a buzzword that sounds like a great marriage of security and a simple user experience. For many higher education institutions, the legacy systems they operate within don’t allow that.  

Passwordless authentication is where this is all heading, but institutions need to be able to accommodate their legacy technology. Increasing password complexity would allow users to change their passwords less often, and with the right tools in place users may not even need to remember their passwords at all. 

What’s more important than chasing a passwordless future is for colleges and universities to modernize their IAM programs within their current environment. Overcoming the challenges of onboarding thousands of new identities, ensuring they have the proper entitlements, and offboarding them when necessary is how higher education institutions can create a safer digital environment.