David Gagnon is audit partner and national industry leader for higher education and other not-for-profits at KPMG. Tony Hubbard leads KPMG's government cybersecurity practice. Kathy Cruz is a director in KPMG's government cybersecurity practice.
This op-ed draws in part from an audit insight from KPMG U.S.
After two years of disruption, institutions of higher education are successfully deploying new strategies for growth while navigating the continued challenges from distributed workforces, hybrid learning and ongoing social and economic dynamics. While the sector has been resilient in the face of unheralded challenges, higher education has unique vulnerabilities that make it a prime target for cyberattacks.
College and university boards and leadership teams should be taking proactive steps to bolster their cybersecurity infrastructure and educate employees and other key stakeholders about the risk that cyberattacks pose to institutions' finances and reputations.
Some of the cyber risks faced by colleges and universities are a product of unique COVID-era circumstances. Higher education institutions were forced to rapidly build out their digital infrastructure to ensure continuity of learning and working amid the pandemic. While this was necessary, it also created new entry points for cybercriminals to leverage malware and other malicious tactics to extract data, force ransom payments and wreak havoc.
Relative to other sectors, colleges and universities are uniquely vulnerable to cybercrime for several reasons. For one, they house valuable research intelligence and proprietary student data. In the case of universities with affiliated academic medical centers, they also hold patient medical records. And, unlike a centralized public company, higher education institutions typically operate in more open information technology environments. While optimal for collaboration and information sharing, these decentralized environments are prime breeding grounds for cybercriminals as well. Additionally, higher education lags other industries in its investment and expertise in cybersecurity.
Risks to higher education institutions stretch far beyond the threat of a data breach or forced network outage. Universities, and the cities and states in which they operate, place great importance on their public image in order to attract new applicants, retain top talent and stay ahead of the competition. One successful data breach can trigger significant ramifications not only for an institution's finances but also for its reputation and prestige.
While the threat landscape is expansive, higher education institutions are increasingly embracing cutting-edge security solutions and taking proactive measures to protect their students, faculty, staff and other stakeholders. Education is a vital component of this effort. Cyberattacks manifest in a variety of ways, from sophisticated phishing operations to simple malware tricks. To stay abreast of these tactics, higher education institutions can implement regular training, awareness campaigns and tabletop simulations. They can also conduct frequent vulnerability assessments for all third-party vendors and develop comprehensive response playbooks to prepare for cyberattacks.
Information sharing is integral to the world of academia. At times, however, colleges and universities must restrict access to sensitive information to those who truly need it. A zero-trust security model is a helpful tool to reorient security decision-making. With it, institutions assume that their systems will be breached, and therefore shift their focus to understanding the identity, device, data and context of each entry into the system. While implementing such an intensive protocol requires significant funding and personnel, lower-level threats can be automated so that cyber professionals can focus their efforts on matters requiring human intervention.
Higher education institutions should continue to strengthen their cyber policies, governance and risk models and regularly pressure test their baseline tactics. This entails increasing the frequency of penetration testing — authorized simulated cyberattacks to identify weaknesses in an organization's defense system — as well as red team testing, in which red teams attempt to attack an organization's cybersecurity defenses while blue teams defend and respond. Institutions should also regularly refresh incident response playbooks, conduct system backups and revisit policies for all third-party interactions, such as establishing minimum cybersecurity standards for vendors.
Information technology auditors can support colleges and universities in understanding the specific risks and vulnerabilities they face. And boards, including audit and risk committees, can foster an environment in which enhancing cybersecurity and mitigating cyber risk are key factors in all strategic decision-making. Embedding cyber security into higher education board and leadership priorities is essential to ensuring that the time, resources and costs devoted to addressing cyber risk do not adversely impact an institution's operations or pursuit of academic excellence.
The hard truth is that cybercrime is inevitable in today's threat ecosystem, but there are concrete steps higher education institutions can still take to limit the scope, frequency and repercussions of these events. While institutions may not be able to weed out the threat entirely, they can make significant strides in protecting their data, resources and reputation.