The Case for Enhancing Cybersecurity Defenses

Posted by Josh Young on 26 July 2017 |

Cybersecurity budgets are not infinite, and most IT teams at institutes of higher learning must secure a rather porous, frequently-accessed network with very few resources. Sound strategy, in turn, encourages these teams to focus on core systems -- protecting educational tools and learning platforms -- as well as high-risk targets, such as student records.

However, there are a number of secondary targets that can prove to be just as lucrative to criminals and hackers, such as the nearly 14 million compromised email accounts belonging to faculty, staff and students that are currently for sale on the dark web.

These accounts were identified in a report produced by the Digital Citizens Alliance, and nearly 11 million of the stolen credentials were addresses featuring the .edu suffix. Given that 87 percent of mobile device users between the ages of 18 and 30 reuse passwords across multiple sites, these credentials also create opportunities for scammers to hijack accounts on other sites, such as online banking or ecommerce portals.

A Larger Threat to Campus Security Systems

Of course, these compromised accounts not only place individual users at risk but they can also lead to larger compromises for campus systems. According to the 2017 Verizon Data Breach Investigations Report (DBIR), 81 percent of hacking-related data breaches relied on stolen or weak passwords. And once inside, criminals can wreak all manner of havoc.

The Ponemon Institute determined that the average number of records compromised during a data breach in 2016 was 28,512. And in the education sector, the average cost for each lost or stolen file was $245.

From a legitimate account, criminals can also game password reset processes for other university systems, or if the account is for key faculty, they can use a variation of the CEO fraud scam to divert legitimate funds or resources. Similarly, they can more easily trick other users into opening attachments riddled with ransomware or other malicious code.

What Actions Can Your Campus Take?

Password security

The weaker the password, the more quickly and easily it will be compromised. After all, there's a reason that "password" and "123456" have dominated SplashData's list of compromised passwords for the past several years.

Some measures your school can take to improve password security include:

  • Requiring passwords to feature a mix of uppercase and lowercase letters, numbers, and special characters
  • Forcing users to create new passwords every semester
  • Making minimum password lengths longer
  • Encouraging the use of passphrases instead of passwords
  • Directing users to password vault or manager software
  • Offering access to a random password generator
  • Preventing the reuse of passwords across multiple campus systems
  • Considering two-factor authentication for key systems

Cybersecurity Training

To further strengthen your campus security posture, employ ongoing data security training for staff, faculty, and students. New student orientation is an excellent time to discuss personal cybersecurity techniques and strong password etiquette. Similarly, for staff and faculty, data security education can be combined with existing programs, such as student privacy training.

This education should also include how to spot phishing schemes and other common social engineering techniques since cybercriminals have predominately relied on these strategies as their primary exploit for bypassing network security for the past several years.


Much like every industry, institutes of higher learning will continue to be a target for cyberattacks, and while there is no failsafe plan, a knowledgeable user base along with sound policy can help shore up your defenses -- often without breaking your budget.

To learn more about how we can help your school protect students and their data, request a demo of our campus data privacy and security training courses today.

comments powered by Disqus
We're sorry but the selected page is no longer available, we've redirected you to our The Case for Enhancing Cybersecurity Defenses page.