1. Introduction to Cybersecurity in Higher Education
Over recent decades, higher education institutions have embraced digital transformation, leading to a surge of digital services in their environment. A new wave of ed-tech technologies, including virtual classrooms, online learning resources, and online file storage, offered innovative learning and working environments. At the same time, this growth in digital data and subsequent migration away from paper has led to concerns around cybersecurity. Unlike their contemporaries in the business and public sectors, higher education institutions come with unique challenges in implementing effective cybersecurity measures. Their user base is diverse, dynamic, and open, causing critically different threat characteristics. In comparison to many corporate networks, the soft outer boundary of many higher education institutions, notably those that embed into cities and local communities, renders the boundary between the internet and university much softer. This means the attack surface of many higher education institutions is richer, with access to such institutions offering a more interesting gateway than random homes or businesses in a corporate environment. Consequently, cybersecurity threats may be able to field test their approaches from other scrimmage attacks prior to launching into a corporate network, and the threshold to launch a campaign is lower due to the potential gains of achieving a breach.
Moreover, a work culture inherent to the academic environment produces other defining factors. These include a culture of collaboration through an open approach to knowledge research and development, and a philosophy of being inclusive—characteristics often leveraged by malicious actors. Finally, and most importantly, the data handled by many higher education institutions is increasingly personal and sensitive in nature, and hence worthy of protection in this space. To this end, universities must be both proactive in defending their environment from potential and real breaches, and reactive in returning the environment back to normality when a successful breach occurs. With that large turnover of information, there is also the insight that education offers a different, but potentially lower, value specification from research or enterprise. As the educational data must be freely available to students, this can often have a knock-on effect on a higher education institution’s information governance structure and security effectiveness. It is also seen from breach effects that the prime target for education being inactive—either rehabilitation or in the summer months—is relatively attractive to attackers. Cybersecurity is therefore becoming increasingly important within higher education institutions and is an institutional duty of care. Ignorance is not a defense, nor is being mediocre in the face of a growing cyber threat that can disrupt students, faculty, staff, and operations. An important part of an effective cybersecurity strategy is based on the realization that there are groups or individuals with malevolent intent, and that higher education institutions are being, or will be, routinely targeted.
1.1. Importance of Cybersecurity in Higher Education
New developments in information and communication technologies pose new risks to the users of these technologies. Several critical national infrastructure and defense sites have been infiltrated in recent years. The increasing amount of personal data often makes these institutions lucrative targets. Properties of educational institutions typically make them attractive targets as well. These organizations manage vast amounts of sensitive, sometimes revolutionary, research data. Through their operations, colleges and universities generate and maintain detailed records on staff, faculty, and students. Additionally, many members of their communities engage in a variety of research and business ventures, using the institution’s infrastructure to operate special projects with external clients and vendors.
A significant amount of valuable intellectual property is stored within these organizations. This increasingly valuable digital content has made colleges and universities popular targets for attackers, particularly those using malware. A number of factors make cybersecurity important in higher education. They include the centrality of data to the programs these institutions offer, the value that data has, often from several perspectives, and the manner in which attackers and attack methods at an institution can affect many institutions. Providing robust cybersecurity protection is not just a data protection measure; it supports the continuity of an institution’s educational, research, and business activities. Protecting against breaches is more than avoiding penalties. In this increasingly digital world, breaches are reported regularly and can have a significant secondary impact. Many people will reconsider dealing with an institution following a breach. Some students may choose a different institution, and faculty or new hires may turn down employment offers. A robust cybersecurity culture is an important part of mitigating the impact of a breach and is a key element to institutional resilience.
2. Common Cybersecurity Threats in Higher Education
Higher education institutions are increasingly becoming lucrative targets for cyberattacks. The culture of security at universities, however, has been observed to be somewhat lackadaisical. Most of the faculty, staff, and students do not take robust security measures to safeguard their devices. This general lack of concern and proactiveness towards security dramatically expands the attack surface. The threats to universities can be varied in type and origin, and their methods are becoming more sophisticated and multidimensional. The following provides a brief overview of some of the most prevalent cybersecurity threats in higher education:
Phishing: Social engineering attacks on faculty, staff, and students. One form of phishing specifically aimed at universities is academic email phishing. Denial of Service (DoS) attacks: Servers are overwhelmed with requests, and operation is slowed down, or it takes the server to a halt. Man-in-the-Middle (MITM) and sniffing: A hacker can use a variety of techniques to intercept network data and steal the information that is being sent between two parties. A robust form of MITM is an HTTPS interception attack. Ransomware: Malware that encrypts a user’s files or renders a system inoperable until a sum of money is paid to the individual who released the malware. Ransomware can have a drastic effect on a highly reliant technological world and can be especially hard-hitting for universities as they are home to many important records.
Other types of attacks such as Man-in-the-Cloud or eavesdropping, badgering, and network security appliance attacks are also worth mentioning. Many universities and higher education institutions house sensitive data on many individuals, which can, in the hands of profit-driven or highly persistent cybercriminals, be extremely lucrative. This data can be traced back to anything from medical research papers to students’ personal and confidential information. If leaked, this data not only affects the university’s reputation but also may have financial consequences. Academic operations would also be directly affected if malware were to take servers down. These security threats are indeed broad and elaborate with many vantage points, ranging from simple and naive attacks that take advantage of disgruntlement or negligence to attacks piloted by highly sophisticated cybercriminals with their eyes firmly fixed on monetary rewards. These different attacks require very different defense methods. It is time for universities to stand up and put measures in place to perpetuate a robust web of defense mechanisms.
2.1. Phishing and Social Engineering Attacks
Phishing is a type of online scam where attackers send out messages that imitate an actual organization in an attempt to deceive their targets into divulging sensitive personal and/or professional data. These emails typically contain a call to action directing the recipient to click on a link or open an attachment, which then results in the installation of malware or the collection of sensitive data from the user’s computer. Phishing exploits the weakest link in an organization: its employees. Educational institutions are prime targets for phishing and social engineering attacks. Similar to attacking a business, knowledge is gained about the targeted institution using public sources. Once sufficient information is gathered, these attackers can craft the email to look like it is coming from known sources such as colleagues or university administration. Although faculty and researchers are common targets, students have been targeted as well. Example messages for students might claim to include critical information about scholarships or other financial awards.
The success of these attackers relies on individuals who have access to sensitive data and systems. As a result, we face a serious challenge: how to build and maintain effective security strategies that recognize that any user might become a potential weak point. To mitigate the risks associated with smuggling in malware or allowing unauthorized third parties physical access to an educational establishment, it is necessary to engage community members to participate in a collective risk management strategy. Establishing a commitment to cybersecurity awareness through campus-wide training and support is essential in the development of a cyber-resilient community. Lower-level security threats become less of a concern if students and staff are focused on managing the risk associated with phishing and social engineering through incident response planning and exercises, well-informed communities, and encouragement to highlight cybersecurity issues when they arise.
2.2. Data Breaches and Unauthorized Access
Data breaches can occur after an unauthorized individual gains access to an organization’s computing infrastructure. This can lead to exposure of all or some of the data stored in that infrastructure, which can include data about employees, students, and others associated with the institution. This data can be used to cause harm, including identity theft, financial fraud, and social engineering attacks. Organizations, in general, are required to store a variety of different kinds of sensitive data, including both personal and academic records. Many of these data types are protected by individual pieces of federal legislation that each have their own set of required protections. This makes securing the totality of an organization’s data both complex and difficult.
The largest percentage of data breaches in both the overall report population and in the educational services sector were financially motivated. This held true even when data breaches were sorted by the attack vectors. Data breaches can occur for any number of reasons, including espionage, activism, and corporate sabotage. In any of these cases, organizations have an ethical obligation to protect the data stored on their infrastructure. They also have a legal obligation to protect any personally identifiable information about their employees or students. A data breach can cause an organization to lose trust from its employees and customers/students. Data breaches can also lead to a financial loss, ranging from the cost to repair the damage to an organization’s reputation to fines resulting from the loss of data, especially if corporate obligations are affected by the loss. The best way to protect data is to go through the data and identify which security protocol is required in order to protect that data. Once the security requirements are known for each data type, the infrastructure can be designed with that protocol in mind, effectively protecting the data.
2.3. Ransomware Attacks
Ransomware attacks have increased in popularity mainly for the ease with which they can be carried out, and the attackers are guaranteed some form of payment. At its core, a ransomware attack is typically a form of malware designed to infect a user’s system, encrypt their data, and then demand payment in order to obtain the encryption key to restore their data back to a usable state. There are, of course, variations on this theme, but this general approach remains fundamentally the same. The offering of the encryption key, once a ransom has been paid, is the giveaway to the true nature of the threat being utilized. With higher education institutions being increasingly dependent on IT for most operational and administrative functions, a ransomware attack can have severe repercussions. These threats can range from simple operational disruptions (which themselves can create a financial impact) or they can escalate to needing to pay for the recovery of systems themselves (which is usually a considerably higher rate than paying the original ransom), further increasing the financial burden.
It has been suggested that in scenarios such as these, some form of mitigation must be employed—that is, a “defense in depth” approach to cybersecurity which encompasses not only protective measures such as antivirus and network security systems but also preventive strategies including generating and regularly testing backups of critical data as well as creating and continually testing an incident response plan. Hence, those who have been affected, providing they have followed the recommended guidelines, can recover their systems and data from backups. Moreover, the psychological impact on those affected can be immeasurable—a feeling of not being in control or helpless against an attacker after a ransomware event is not easily overcome. In such organizations, there is a ready supply of victims who have access to important data that often hasn’t been backed up.
3. Impact of Cybersecurity Threats on Higher Education Institutions
The impact of a cybersecurity breach at a higher education institution can be significant. Financial losses can include direct damages from the incident, costs to recover from the incident, and potential fines and legal fees. There can be negative legal and compliance implications if personal or intellectual property data gets exposed. The reputational damage from large-scale or repeated incidents can impact student enrollment and retention and negatively affect alumni relations. It can take a long time for this damage to be rectified. Importantly, a breach can affect the reputation of an institution’s research capabilities and its ability to safeguard proprietary research findings, impacting future research collaboration and grant awards. The best investment in cybersecurity is the one put in place in advance of an incident, as patching institutions and managing the recovery under a public spotlight is much more expensive.
To the same degree, an effective cybersecurity program is now considered a key component of an institutional reputation as well as a top issue for many institutions’ boards of trustees. A low-quality security program has been the lynchpin of large-scale thefts over the last year; multiple entities around the world were successfully targeted by heavy cyber espionage activity. Those who are able to detect the incident are then swept into recovery operations prioritizing patching and lockdowns in addition to incident recovery alongside malware eradication, data restoration, and other steps. Casualties of these swift efforts can include disrupted programs and administrative functions. Some institutions even continued cleanup activities on a prioritized timeline months after the incident reached public awareness in the case of high- and severe-scale events, making recovery from individual incidents last over a year.
3.1. Financial Loss and Legal Consequences
Data breaches cost money. While the direct remediation costs are probably the most visible financial impact of a breach, related expenses such as legal fees, potential regulatory fines or penalties, and settlements in class action lawsuits all contribute to the total cost. The average cost of a breach is $3.86 million or $148 per record. The primary drivers of the cost of a data breach are related to causing and responding to a breach. These costs can be divided into four areas: 1. Detection and escalation, 2. Notification cost, 3. Post-breach response, e.g., investigation, and 4. Lost business. In the case of small- to medium-sized breaches, three-quarters of the major financial impacts come during the first year. The most damaging consequence of these financial impacts is that they can advance budget constraints which, in turn, can place restrictions on other resources or programs. As a result, public and even private institutions may limit the amount of money available for student services, such as specialized tutoring. Additionally, these institutions may want to fundraise or offer more merit-based scholarships to attract high-ability students. To make these projects feasible, they will have to seek funding from private or public sources. Civil suits are another way that organizations feel the financial impacts of breaches. Some of the most publicized headlines have been about the amount of money companies paid out in litigation. For example, in July 2017, a company reported that their net income dropped by 27% in the second quarter due to a significant loss related to the breach, although it did not include the legal and other costs they expect to pay.
Finally, there are the legal consequences. Not only do higher education institutions have to contend with possible suits from those whose data has been exposed, but they must also deal with regulatory agencies. In the past decade, a growing number of federal and state laws have obliged organizations to notify affected individuals of a data security breach. There are currently 47 breach notice laws distributed across 47 jurisdictions, including every state, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands. Not all of these jurisdictions have the same definition of a breach, how quickly the notice is due, or what needs to be in the notice. Moreover, breaches of universities’ databases sometimes also involve foreign students and staff, making privacy rules compliance and timeliness an issue, even if the institution is not covered by the laws applicable to certain member states. While this issue is beyond the scope of this paper, it is important to note that more information is subject to being made habitually public, instead of what has been announced.
As the information above indicates, the financial cost of a cyber breach can extend far beyond the immediate expenses. You may have to pay for the breach for years to come, and it may affect your institution’s stability and future mission. Between fines or penalties, dealing with current and future lawsuits, or dealing with lost time on the part of employees, cyber breaches are too costly to ignore. This chapter outlines the financial considerations of why cybersecurity is crucial and may help to inform how you should go about budgeting for your institution’s various cybersecurity needs.
3.2. Reputational Damage
Discussions of cybersecurity threats often fail to cover the aspect of the possible reputational damage. Reputational damage to an institution is potentially damaging due to the fact that students need to be and feel safe when attending classes. Staff will be less likely to feel content, turnover goes up, new students and academic partners may be dissuaded, and then there is the current body of work which others will immediately discredit. This dimension of cybersecurity threats is magnified at higher education institutions. Institutions rely on the students they enroll and the trust placed in them by other stakeholders, including governments and future employers. After all, members of the executive boards as well as presidents, chancellors, or rector boards are becoming increasingly aware of their role in securing the reputation of their university. It seems indeed no coincidence that investment in and implementation of cybersecurity is pending on those university campuses that have just experienced reputational damage from cyber breaches.
Hitherto, many academic institutions have only observed the risk from reduced enrollments, lost partnerships, or reduced donations from a conceptual vantage point and have not really prepared for a concrete reputational threat through data loss in advance. Several issues come into play when reputational prospects are diminished. Some argue that in a “winner-takes-all” environment like the top-tier education industry, a reputed university could easily regain its reputation, quite like recovering from bad press. This is not necessarily so. If a university gets breached, it signals a breach of university standards worldwide. If this university reports it, it is scared of the impact it might have. Instead of investing so much money, effort, and risk to know what not to talk about PR-wise, it seems a cheaper approach to not get affected. However, that is a very expensive and unrealistic insurance. This will pay off once a more culture-aware approach is taken. Therefore, bolstering your ability to resist such claims from institutions needs to be done by a proactive approach.
4. Mitigation Strategies for Cybersecurity Threats
Institutions of higher education can adopt some proven mitigation strategies to reduce the impact of threats to their cybersecurity. First and foremost, institutions must consider a comprehensive approach to enhancing cybersecurity, one that integrates technology, applications, people, practices, and policies. Technology measures such as employing multi-factor authentication can help to control access to IT resources and avoid threats, but a greater threat is from social engineering and technical support scams. The direct communication and training of students, faculty, and staff are therefore important. Regular training is an essential element in raising the security awareness of a target group that is seen as not having a clear view of the dangers and how to report them. An incident response plan must be designed, and organizational awareness must be created in the student and staff bodies around the incident report chain.
Breaches can be limited if a properly functioning incident response plan is in place. Information security policies will affect the organizational security paradigm, making them more formal over time. A security-aware culture should be adopted to reduce the endpoints and exposure of the institutions and those they collaborate with who may become targets. Periodic review of information security policies, practices, and compliance levels in light of the dynamic, changing cyber threat landscape is important. There is a need to adapt to existing practices and to incorporate new standards and guidelines. Executives should cultivate a relationship with a broad range of stakeholders in their information security strategies. Given the extensive word-of-mouth behavior exhibited by students, enhancing the security program requires administrators to concentrate on that demographic in particular.
An institution must take steps to guard against all the above threats, meaning both institutions must be aligned on their security implementations. In a large complex institution, good communication is necessary to ensure such alignment exists. All members of the institution, especially IT personnel, faculty, and students, must be aware of these threats and have mechanisms in place to react appropriately. The point of the CSIRT is to contain the incident before it causes any more damage. Beyond the technology solutions listed above, it is common for federations of higher education institutions at a national level and the wider public sector to develop policies and terms of engagement for collaboration to be signed by vendors before taking up their services.
4.1. Implementing Multi-factor Authentication
- Mitigation Strategies This section illustrates the strategies for mitigating the threats.
4.1. Implementing Multi-Factor Authentication Multi-factor authentication (MFA) is another important part of the cybersecurity strategy at higher educational institutions. After investigating the reported data breaches, a key discovery was that the majority of account compromises were the consequences of stolen or compromised passwords. What makes this statistic particularly concerning is that phishing attacks have increased in frequency. As a result, employees and students at an institution could become the focus of corrupt actors who seek to access sensitive data. Implementing multi-factor authentication requires corrupt actors to overcome an additional hurdle—and large institutions report that doing so is not worth the effort. One of the facets of this security protocol that sets it apart is that it is particularly hazardous because it requires human communication.
MFA for student financial interfaces is particularly crucial. One of the practical goals of these young individuals is to have access to their financial information as soon as practicable. Implementing MFA not only safeguards the data collected by the institution, but it also fosters trust among users. One of the challenges in implementing MFA is ensuring students and staff are properly instructed in how to use it. However, because there is a substantial link between training and user engagement, it is feasible to demonstrate why acceptance of MFA is critical.
– Best practice: If there is resistance to the implementation of MFA, it may be beneficial to identify the security resources that the audience presently makes use of, such as antivirus software and firewalls, and question if enabling MFA for those devices is a logical security measure. Moreover, point out that students’ personal banking websites make the greatest use of MFA. In higher education, it is not only the educational content and financing mechanisms that are major targets, but sometimes the academic insight and career direction of some faculty, staff, and students can be of interest. Furthermore, identification or access to database tools could allow a malicious actor to manipulate years of findings. Lastly, in internships, positions, or research proposal sites, some people may have personally identifiable information, which could also be considered targets.
4.2. Regular Security Training and Awareness Programs
Training and awareness programs directly aim to address the role of the human factor as the weakest link in cybersecurity. Such programs within organizations, generally at the level of entire countries, have been proven to be more effective than investing in technical solutions alone. This is certainly also true in the context of higher education. The task at hand is, therefore, to prepare university staff or students for their role as conscious and responsible actors in the use of cyberinfrastructure. Security training is a narrow aspect of such programs and can take the form of workshops, but also more advanced measures such as a security contest or simulations, or attendance in online courses. Even brief, interactive workshops can allow users to participate and engage with content, and to share experiences and discuss possible ways to respond in the future, such that confidence levels increase and the learning environment is relaxed and enjoyable. It is especially good if it develops out of discussions, as users are supported in guiding and directing their own learning, and a personalized pathway can begin to emerge.
It is essential that security training is given to both technical and non-technical staff, and matched to their specific roles and responsibilities, frequency of authority in shortens. Importantly, even with a low to non-functioning network and focusing on basic security measures and good practices without a network connection, users can still be made aware of potential threats. Knowledge or confidence-boosting training is a very useful objective in that no one ever knows it all and training needs to be ongoing and intrinsically tied in with good security culture. Real-world experiences can be woven into any type of training workshop, as users are likely to be able to identify and recall what happens in a real-life situation as they have likely been involved in some way—it gives them an “anchor” so to speak to support their learning. The usefulness of past case-based workshops is that a wide range of professionals contributing to the educational network from over ninety institutions were given several case studies culled from their responses on security needs and the personal scenarios they sent in. You could feel the energy pick up, hear the buzz and discussions heighten as they identified with the portrayed scenarios.
4.3. Network Segmentation and Access Controls
Network segmentation is another effective strategy for mitigating cybersecurity threats within higher education institutions. By segmenting networks, potential breaches can be contained to limit access to more critical systems and sensitive data for only those users who need it. Methods for implementing network segmentation are multilayered and can be achieved by defining and enforcing user roles, establishing standards, and enforcing caller access protocols. Access controls are largely influenced by people, technology, and process, as well as regulatory and policy compliance controls. As such, they require regular review and updating, as necessary, to meet emerging security challenges and the need to provide access to services and information. A well-structured access control strategy can provide the first line of defense to prevent unauthorized access and lower the risk of a data breach. Some challenges to implementing access controls include resistance from users in terms of changes in user access level, privilege changes, changes in processes, privacy and security implications, and potential over-controls. As a result, it is important to engage with stakeholders early in the development process and to regularly communicate regarding status and changes. Despite these challenges, access controls are an effective way to reduce regular and root-cause security threats. Although asset management and data classification are procedural by nature, network segmentation and access control planning must be addressed in the design and management of network architecture. Proactively managing procedural and physical security complements overall organizational security posture, where data cannot be accessed from external entities.
5. Importance of Incident Response Planning
One of the most important mitigation strategies that any higher education institution can have in place, regardless of the size of their information technology or cybersecurity staff, is robust incident response planning designed to protect IT resources, and just as importantly, the data that should back them up. Informed and educated planning serves as a deterrent to the likelihood of ransomware attacks and effective responses when dealing with them. An incident response plan provides an efficient, organized approach to address and manage the aftereffects of a cybersecurity incident to limit damages, mitigate covert actions, ensure communication and support of critical stakeholders, maintain the trust and integrity of the affected institution, and reduce recovery time and costs. There are many components to an excellent incident response plan, including incident identification procedures, practice in isolation, incident resolution, recovery, and lessons learned. Identification proceeds through a variety of automated and manual means including alerting and monitoring of systems and comparing data sets via manual review within network attack threat analytics. Many institutions leverage commercial products to support the identification process and use network segmentation as a key containment strategy. The above actions should be supported by rigorous practice through incident download and drill, incident response plan tabletop exercises, or both on a regular basis. At least one shape of this activity should be practiced annually and in the best of all possible scenarios quarterly, and finally the incident response plan should be reviewed on an annual or semi-annual basis for updates and participation. The planning and aftermath of such drills can help increase the knowledge of the right delivery and standard operating procedure for the event of a ransomware attack. Because higher education provides a unified context to law enforcement, the Research and Education Community should be included in the engagement planning. Moreover, the association should practice and put in place incident response planning and cybersecurity resources that are custom to the campus environment and not only designed to meet the best practices of cybersecurity but also enhance higher education’s overall ability to ensure resilience.
5.1. Creating a Cyber Incident Response Team
5.1. Establishing a Cyber Incident Response Team The ability to respond to a variety of possible cyber incidents in a coordinated manner is a very critical element of a security program. The cybersecurity maturity summit questionnaire underscores the formation and responsibilities of a Cyber Incident Response Team (CIRT) as a fundamental part of any institution’s IT infrastructure. The core members of the CIRT described the responsibilities of each of its members and recommended them as the first contacts for any potential security breaches. A set of essential roles and responsibilities and a list of core competencies that the team members should have were identified. In addition to technical and analytical ability, participation from a variety of departments provides distinct perspectives and representations in developing meaningful responses to security incidents and threats. The relevant job descriptions can be reviewed in the security and information systems job description resource. Moreover, cybersecurity training for non-technical majors can highlight the goal of such training and the skills required for users in these areas to help handle potential incidents. Utilize a number of methodologies to select team members. Technical members are responsible for investigating and responding to incidents, so it is crucial to have relevant IT specialists dedicate time to the team. It is also important to have representatives from many different departments such as public affairs, legal, IT, university counsel, human resources, administrative finance officer, student affairs, facilities management, and any other possible constituents involved. It is important to actively seek to incorporate a variety of skills within the group, varying from incident handling and analytical processing to public affairs and administrative functions. Members should receive required initial training and continuous personal skills development training to maintain relevant capabilities. The CIRT should engage in regular training through simulations and drills of incidents that are both over and under the required reporting limits. The CIRT should have established not only internal contact procedures but external as well. These will range from the CEO, university counsel, or public relations officer, based on incident impact, up to federal agencies in the case of a major widespread intrusion event. The CIRT is responsible for involving other units in the internal and external data gathering phases of the investigation. They should also act as resources and guides for the institution’s Facts and Findings report.
6. Regulatory Compliance in Higher Education
Regulatory compliance is an integral aspect of the operational fabric of higher education institutions. These regulations outline legal and approved behaviors, especially regarding students’ information and other research data critical for national security. In the European Union, regulatory compliance controls the use of personal data of citizens of member countries operating in American higher education institutions. Additionally, educational organizations must also comply with the Family Educational Rights and Privacy Act. In the US, the Health Insurance Portability and Accountability Act also applies to student healthcare, but for universities, it seldom comes into play since most do not have any mechanism for handling student health information. Nevertheless, the larger regulatory net continues to become entwined. Failure to comply with set core legal frameworks may cause substantial legal consequences. Institutions running non-compliant systems may get penalized, lose revenue, incur the expense of rectification, and damage their credibility. For this reason, running a system with compliance in mind is not just about regulatory oversight; it is also about avoiding loss or damage, ultimately ensuring the sustainability of the organization.
Regulations will change daily, which contrasts with the opinion of some. Some claim the regulations follow the transposition of the headlines in newspapers, while others say that certain standards have been stable for a long time. The nature of rules and standards changes. As one aspect settles down, another evolves. The ever-evolving nature of these rules and standards is demonstrated by the change of FERPA over the 41 years since its first inception and several major compliance modulations since HIPAA’s introduction. Regulations require an educational institution to incorporate compliance into its operational plan and procedures, just as they need to understand the financial structure and operational function of their institutions. Staff and students often need to be aware of relevant regulations. It is therefore necessary for them to receive appropriate training when they are charged with handling, storing, or using sensitive information, particularly personal data such as education and healthcare.
6.1. Understanding GDPR and Other Relevant Regulations
The General Data Protection Regulation (GDPR) has implications for every institution, including universities and others in post-compulsory education and research. Although there are many principles inside the regulation, some of the most relevant to the higher education sector are the ideas of data minimization and storage limitation, fair and transparent processing of personal data, and allowing individuals the right to have access to their personal data and have it deleted from an organization. In the context of higher education institutions (HEIs), the personal data of an individual relates to the student, staff member, or applicant. For student applicants, the data includes both the individual and their parent or carer. It is only lawful under GDPR to process personal data if a suitable lawful basis is applicable. Since many of the data collected is specially protected, GDPR bestows other regulations that also need to be met, and the HEIs should have a lawful basis in the UK Data Protection Act 2018. It is also expected that every controller and processor that processes information on a large scale should have an assigned Data Processor.
To ensure that the large quantities of information that HEIs process are secure, following GDPR best practice is the main strategy that HEIs need to put in place to determine the type of strategies that should be deployed. However, apart from GDPR, there are also other countries’ data protection laws that HEIs need to adhere to, as there is often data transferred from across and between countries outside the EU. HEIs must satisfy GDPR or, where it is relevant, satisfy multiple regulations. This may mean that there would be multiple restrictions for data protection or data prohibited from outside the organization’s network. HEIs will need to develop guidelines following such provisions to assist employees in communicating with those who are suffering from an information breach, as it is important for victims to know who to contact when a data violation occurs. It is crucial for HEIs to strive to entirely implement all GDPR criteria since an organization can be prosecuted if an organization’s data breach is examined. Infringements may be extremely expensive, and through accurate preventive system implementations, specifically on an infrastructure level, herein lies the HEIs’ key to confidentiality of personal details. Moreover, staff training on GDPR, as well as refreshments and regular testing, are essential for a greater effect on the sensitive information of people. Regular audits should also be implemented to support the institution in complying with battling any data breaches that might occur. Overall, understanding GDPR is crucial for all.
7. Emerging Technologies and Their Impact on Cybersecurity
Emerging technologies have increased the scope and complexity of educational services within higher education institutions, enhancing interconnectedness and engagement. These systems’ ability to collect, analyze, and predict can significantly benefit education—from personalized learning and student outcomes to course design and predictive patterns. However, new technologies bring a double-edged sword, making them susceptible to cyber vulnerabilities. Despite their many benefits, web-based online services pose a significant threat, as successful phishing attempts can lead to the deactivation of various institutions. This is particularly true of cloud computing applications. By leveraging cloud computing, academic institutions can lean on a third party for their database management, infrastructure management, and computing payments. Nevertheless, this brings us to the need for increased cloud data management.
AI can, on the one hand, detect new experimental results quickly and inform information assembly in real-time. Yet, on the other hand, AI is capable of executing sophisticated information deception on the internet. External relationships, such as decreasing the efficacy of bolstered educational cybersecurity initiatives despite the implementation of multi-factor authentication systems, result in a combined danger. As universities navigate interconnected societies through internet use, e-learning, and active commencement efforts, it is essential to recognize the dangers of data misuse and develop open approach counseling and technical organizational safety measures. By integrating IoT, smartphones, and artificial intelligence, an academic institution empowers scholars to provide quality education through ongoing monitoring and response strategies, such as early-warning device violations or smart lighting adaptive technologies. By integrating IoT technologies within an internal network, institutions can inadvertently execute denial-of-service attacks through complex systems. Furthermore, greater opportunities for unmonitored cyber infringement on a well-distributed spectrum are available. This analysis underscores the need for care in the implementation of cutting-edge technology in educational institutions. The IT sector is growing fast, pushing us to acknowledge that conventional technology requirements for security—such as an up-to-date antivirus system and a firewall—no longer prevail. Shockingly, universities—and by extension, students and faculty—will fail to allocate the funding or design to curb security threats.
7.1. Cloud Computing and Security Considerations
7.1. Cloud Computing
Cloud computing is becoming an increasingly relevant repository solution within higher education. The ability to access, share, and manage information from securely hosted storage environments can provide a high degree of availability and reliability, as well as increased infrastructure efficiency to better meet a wide range of demands while offering increased flexibility. A key consideration is the increased efficiency that comes as a result of this shared environment. It is important that IT professionals in higher education understand how storage systems behave in the cloud and ensure that sufficient resources are reserved for a range of applications, thereby preventing infrastructure downtime. By understanding the benefits and risks associated with cloud environments and the various deployment models, CIOs can understand which applications and services will be most useful to deploy in the cloud and how they may be able to maximize the return on investment.
7.2. Security and Cloud Environments
As the threats posed by insiders, cybercriminals, and national espionage efforts continue to escalate, the importance of security in the cloud continues to grow. Potential threats include data mining tactics, compromises of intellectual property, spear phishing operations, targeted malware infiltrations, distributed denial-of-service attacks, and other orchestrated infiltrations. Additionally, the growing power and sophistication of cybercriminals can lead to an increased risk of data breaches and security incidents. As external cloud platforms can include a shared infrastructure as well as a potential loss of control over data security, organizations must perform a detailed risk assessment before deciding to move data to a cloud. Enterprises and other organizations considering this move should understand the levels of security and the shared responsibility model of data and application security when using cloud storage services. A best step forward for organizations to begin the process of moving to a cloud environment should include the use of encryption to secure sensitive data and key management services. Encryption of the data is directly under the end user’s control and limits exposure to risks in the cloud environment. Additionally, incorporating individual user-based access controls for data storage serves to mitigate risk as well. Ongoing vendor management and associated security reviews and audits are critical for the end user in order to ensure compliance against established security standards, which can mitigate risk.
8. Collaboration and Information Sharing in Higher Education
Collaboration and information sharing among and between institutions have been recognized as significant factors in successful security programs in higher education. Collective approaches to security, whether within public sector partnerships or regional or national initiatives, create an environment that allows for more thorough methods of sophisticated threat detection and response. Relationships beyond the campus can also be leveraged, depending on the particular threat with which the institution may be dealing, such as partnerships with industry, regional consortia, and law enforcement agencies. These relationships may afford technical expertise, intelligence resources, and forensics capabilities that are not available within the institutional infrastructure. Partnerships with other colleges and universities, however, have become the focus of many collaborative efforts; these relationships in particular reflect and expand on the culture of shared responsibility for security.
Challenges to these traditional approaches to information sharing exist, including potential differences in campus-level policies and relevant federal laws, as well as movement in general toward international information sharing, which will create significant legal issues. These challenges can be addressed with careful planning around issues such as developing standard forms of shared intelligence and ensuring a back-and-forth exchange between public and private responses. Strategies to develop relationships will depend upon regional cultures, membership, and administrative and organizational structures, which necessitate a grassroots approach, working from a strategic level. Key is the creation of a forum to have discussions and a place to socialize, even if policies and shared intelligence are never shared, as well as the creation of individuals who are influential and have a voice in the community and can persuade others of the importance of the task. In order to mitigate the vulnerability of educational information technology infrastructure, there is a developing collective approach to harness the extended expertise, knowledge, and resources available to colleagues. Formal informal networks, the development of ongoing dialogue and collaborations, and leveraging external collaborators provide an institution with significant and appropriate measures for dealing with the events that will challenge the security of its data and infrastructure. Further, it will upset the delivery of the academic mission. Executed as strategic functions, the successes and values of the networks in terms of ensuring high standards of collaborative security practice have yet to be fully realized. They remain the subject of significant discussions within the security community.
8.1. Partnerships with Industry and Government Agencies
8.1.1. One of the best ways to enhance participation and engagement is through partnership and collaboration with private sector and government agencies. Such relationships can help to position the institution as a “source of well-trained potential employees and provide access to a wealth of resources and technical expertise.” Information sharing between industry partners, government agencies, and energy sector organizations can potentially produce valuable reports used to warn organizations of cyber threats and vulnerabilities. Additionally, this type of engagement can be useful in “keeping university leadership informed about current best practices and reflecting regional and national standards and policies at institutions.” Collaborating to remedy real-world problems can be used to unite diverse stakeholder objectives and motivate the collection and exchange of cyber information.
8.1.2. Industry sources offer additional recommendations for higher education staff concerning building partnerships. Particularly, it is suggested that higher education institutions consider alignment of interests and goals. It is noted that “while funding sources may offer potential funding to assist institutions in educating and enhancing cyber infrastructure and future employees for that sector, seeking potential partners that have cyber infrastructure as an integral part of their business model or societal mission generally makes approaching partnerships with these entities easier.” The same sources suggest developing collaborative workshops and training sessions, initiating joint research activities with industry, as well as developing a memorandum of understanding between the two for oversight.
9. Future Trends and Challenges in Higher Education Cybersecurity
As the cyber threat environment is continually changing, so too should universities and other higher educational entities’ cybersecurity profiles. Over the academic year, the cyber threat landscape has changed; future threats may come in the form of more sophisticated phishing campaigns and will arrive in a number of novel frontiers such as mobile devices, the cloud, and the Internet of Things. Fortunately, universities and other higher education institutions are proving more resilient; that resilience can only be maintained in an increasingly complex threat landscape if policies and procedures continue to adapt to both emerging threats and the technology used to fight those threats.
New information technology is likewise changing the way universities approach cyber resilience. Above all else, the practice is an art of risk management. This is complicated by the widely disparate systems that compose the typical campus. What unifies the evolving theory of campus cybersecurity is the use of artificial intelligence and machine learning. These evolving technologies are meant to be both preventative and predictive. Such technologies are rife with potential; being effective against insider threats might be the most remarkable property as insider threats are predicated more on psychology than the capacity of a cybersecurity program. At the same time, they open up a terrifying number of vulnerabilities; a powerful system of artificial intelligence and machine learning could be used against itself. Thus, the technology poses a legal and ethical challenge that implores the institution to predict the future behavior of a threat that does not yet exist. Finally, barriers will again emerge as diverse entities bring large new computing initiatives to campus as these programs will require monitoring and protection that goes above and beyond standard user activity. Tools such as a zero trust architecture, which verifies every user and devices some explicit trust for others, might be the mechanism through which the heightened risk of high-performance computing and artificial intelligence and machine learning projects can be mitigated. Indeed, the balance between driving technological transformation and managing the risks is becoming a principal strategic challenge for universities. Campus networks, cloud services, broadband networking, and cybersecurity policies are ever more entwined. Campuses must collaborate but also set aside time devoted specifically to confronting the obstacles to future innovation.
9.1. Artificial Intelligence and Machine Learning in Cybersecurity
Artificial intelligence (AI) and machine learning (ML) are likely to play significant roles in reshaping how cybersecurity is conducted in the future. In this context, AI can be used to refer to any intelligent system, i.e., not necessarily computer or technology related, including humans as well as animals. ML can then be considered a subset of AI and refers explicitly to algorithms developed from data to learn a task rather than programming explicitly what is needed. AI and ML can work to enhance detection, response, and prevention strategies in higher education institutions and can also prevent and mitigate cloud-based data breaches. One of the advantages unique to AI is that it can analyze large quantities of data quickly and efficiently in conjunction with some form of intelligent decision-making process to either replace a human operator-based decision or enhance a human decision-making process.
However, there is a significant flip concerning AI being used by institutions to enhance security – the same AI and ML technologies, when implemented properly by attackers, can penetrate defenses and perpetrate breaches of data. Adversarial AI has the capability to reverse-engineer AI-created models so an attacker can bypass any security measures in place by the institution. As AI is further developed to predict vulnerabilities, so too do the capabilities of cybercriminals further develop AI technologies to appropriately exploit them. A ‘red ocean strategy’ approach is not sustainable in innovation, as competitors will either copy the process or offer new products with similar benefits. As a result, it is in the ‘blue ocean strategy’ of innovation, which is creating new demands with little or no competition, that institutions should focus if they seek to become industry forerunners in AI-based security systems. Avoidable, in-innovation pitfalls include building too generalized models that are too easily replicable and overreliance on AI to make security decisions without a human-in-the-loop perspective for possible threat vectors or ML biases. It will nevertheless be critical to train staff to audit and understand these new systems when operating efficiently in complex environments, simultaneously and temporarily managing legacy systems with evolving ones. This will be an IT function broadly, but specifically a false positive risk and data governance function from an audit perspective. (Chivukula et al., 2023)(Yigit et al.2024)(Olney, 2023)(Deng et al.2024)(Awotunde and Misra2022)(Yu et al.2024)(Caballero & Jenkins, 2024)(Singh et al., 2024)(He et al.2023)
References:
Chivukula, A. S., Yang, X., Liu, B., Liu, W., & Zhou, W. (2023). Adversarial Machine Learning: Attack Surfaces, Defence Mechanisms, Learning Theories in Artificial Intelligence. [HTML]
Yigit, Y., Buchanan, W. J., Tehrani, M. G., & Maglaras, L. (2024). Review of generative ai methods in cybersecurity. arXiv preprint arXiv:2403.08701. [PDF]
Olney, B. (2023). Secure Reconfigurable Computing Paradigms for the Next Generation of Artificial Intelligence and Machine Learning Applications. proquest.com
Deng, C., Duan, Y., Jin, X., Chang, H., Tian, Y., Liu, H., … & Wang, H. (2024). Deconstructing The Ethics of Large Language Models from Long-standing Issues to New-emerging Dilemmas. arXiv preprint arXiv:2406.05392. [PDF]
Awotunde, J. B., & Misra, S. (2022). Feature extraction and artificial intelligence-based intrusion detection model for a secure internet of things networks. In Illumination of artificial intelligence in cybersecurity and forensics (pp. 21-44). Cham: Springer International Publishing. researchgate.net
Yu, J., Yu, Y., Wang, X., Lin, Y., Yang, M., Qiao, Y., & Wang, F. Y. (2024). The Shadow of Fraud: The Emerging Danger of AI-powered Social Engineering and its Possible Cure. arXiv preprint arXiv:2407.15912. [PDF]
Caballero, W. N. & Jenkins, P. R. (2024). On large language models in national security applications. arXiv preprint arXiv:2407.03453. [PDF]
Singh, R., Sellitto, D., & Smith, S. D. (2024). An Investigation of the Role of Cybersecurity Professionals in Shaping AI Integration and Strategy. [HTML]
He, J., Feng, W., Min, Y., Yi, J., Tang, K., Li, S., … & Zheng, S. (2023). Control risk for potential misuse of artificial intelligence in science. arXiv preprint arXiv:2312.06632. [PDF]
Last updated: June 4, 2026
