US universities at greater risk for security breaches than retail and healthcare: BitSight

A new report says the majority of attacks experienced by higher education institutions come from malware infections, and most universities are ill equipped to prevent and handle such attacks.
Written by Natalie Gagliordi, Contributor

The back-to-school season is a busy time for many, even hackers.

According to a new report by the security rankings provider BitSight Technologies, higher education institutions experience an influx in malicious cyberattacks during the school year.

But what's worse is that most of those universities are ill-equipped to prevent and handle such attacks, which, according to the report, results in cybersecurity rankings below that of retail and healthcare — two sectors plagued by near-constant security attacks that often result in successful breaches.

The majority of attacks experienced by higher education institutions come from malware infections, with the most prevalent being Flashback, which targets Apple computers. Other prominent malware include Ad-ware and Conficker.

BitSight said universities are the targets of so many attacks because they harbor a trove of sensitive and personal data, ranging from addresses and social security numbers to credit card numbers and intellectual property — and hackers are quick to notice the weak IT infrastructure in place to keep that data protected. 

According to the report:

University cybersecurity is a complex game that involves juggling a high volume of open network access points, diverse technology needs, multiple compliance and regulatory measures and the protection of high value information, such as student and faculty data or even sensitive intellectual property. It is no wonder that these organizations often drop the ball. Whereas businesses often have dedicated security teams that can work in conjunction with IT groups to create manageable network access points and maintain certain restrictions, security teams at schools are often left playing catch up.

BitSight focused on collegiate athletic conferences to assess the cybersecurity of higher education, separating the schools into the SEC, ACC, Pac-12, Big 10, Big 12 and Ivy League divisions.

All of the conferences saw a drop in their cybersecurity efforts once school was back in session, although some fared better than others. On average, schools in the Big Twelve ended the year with the highest rating at 661. The Ivy League ended with a 614 rating, and the Atlantic Coast Conference ended the school year with the lowest rating at 588.

Screen Shot 2014-08-21 at 1.01.19 PM
Via BitSight

Stephen Boyer, co-founder and CTO of BitSight, noted that there were a few outlying schools in the mix with a security rating of 700 or above. Unsurprisingly, all of those schools turned out to have a dedicated CISO or director of information security on staff.

Editorial standards