The number of cyberattacks affecting universities nationwide has increased during the pandemic, a trend experts said GW should address with increased cybersecurity and information security measures and data protection education .
Officials responded to at least two cyberattacks this academic year, including third-party data breaches that targeted Kronos, an employee time-reporting system, and MyLaw, an online platform that GW Law uses to store data. student personal information and class materials. The outages at GW mirror national trends at higher education institutions, with the number of ransomware attacks on US universities rising from 13 in 2019 to 26 in 2021.
Acting Chief Technology Officer Jared Johnson said school districts and higher education institutions have faced “increased cybersecurity activity” like email phishing, Zoom bombings, ransomware and identity theft in light of the increased reliance on remote learning and working during the pandemic.
“The University continues to focus on protecting our community in an evolving threat landscape and does so through ongoing investments in our cybersecurity infrastructure, continuous assessment of our capabilities, engagement with external partners (commercial , governmental and community like [Research and Education Networks Information Sharing and Analysis Center] and [Health Information Sharing and Analysis Center]) and provide resources to help build cybersecurity awareness,” Johnson said in an email.
He said the University is hosting a Cybersecurity Awareness Month in October with guest speakers and cybersecurity panel discussions, and officials have invested in hallway signage to raise cybersecurity awareness.
“Later this spring, GW [Information Technology] will launch security awareness training modules for the GW community and include topics on social engineering, password management, mobile device security, and managing and sharing sensitive information,” a- he declared.
The attack on MyLaw kept the system down for almost four weeks from the final exams, leading to concerns and frustration among students about the security of the University. Officials reported the attack to the FBI, which declined to comment on the outage.
Kronos, the employee time-reporting system, had been down for more than a month, and officials said personal information such as email addresses and NET IDs may have been compromised in the attack. .
The GW community suffered at least two additional cyberattacks during the 2020-21 academic year. One affected GW Hospital when its majority owner, Universal Health Services, suffered an attack in October 2020. Another leaked payment information last spring belonging to students purchasing items for Commencement as part of a an attack on a company that sells caps and smocks to students across the country. .
Officials increased funding for cyber attack protection in 2016 in response to an increased number of reported scams at the time.
Cybersecurity experts have said officials should invest more funds in information security for modern defense systems and increase education and awareness among members of the university community about common security risks in order to combat against the increase in attacks.
Marcus Rogers, a professor of cybersecurity initiatives at Purdue University, said universities often don’t allocate large sums of money to information security until after an attack. He said information security is not a “high priority” at most universities because proper security funding is usually costly, leading to understaffed and understaffed security departments. -funded.
“It’s all about the money,” Rogers said. “It’s expensive to do it right, it’s expensive to hire the right people, it’s expensive to maintain your equipment, it’s expensive to update that hardware and at the end of the day it doesn’t pay off. no money in college.”
Rogers said universities are “vulnerable” to attacks because they store a wide range of data such as research projects and private information about students and staff members, such as social security numbers and personal information. about health.
“There is always a risk of identity theft for students, faculty and staff whose human resources and health information could be hacked at a university,” Rogers said. “We’ve seen cases of attacks where social security numbers, dates of birth, all that kind of personal health information has been hacked.”
Rogers said GW’s fall data collection project that tracked students’ whereabouts on campus in the fall, which acting university president Mark Wrighton revealed to students earlier. this month, “absolutely” made GW a bigger target for cyberattacks. Rogers said personalized information collected, such as where students congregate on campus, is crucial for data collectors like marketers.
“That kind of information can be extremely important to certain types of foreign intelligence community or even mass marketers who want to be able to basically track some of the places you go,” Rogers said. “The more personalized data there is, the more an institution becomes a significant target.”
Ming Chow, a computer science professor at Tufts University, said individuals can protect themselves from cyberattacks with safeguards such as password managers – secure databases that store individuals’ passwords – and two-factor authentication. He said the attacks mainly occur against those with weak password protection.
“The advice is for everyone at all levels: president, student, staff, etc.,” he said in an email. “The fact is that too many systems and accounts are hacked because of a weak password being used.”
Engin Kirda, a computer science professor at Northeastern University, said modern defense systems would be most effective in protecting information systems at universities. Kirda said such systems are “expensive” and user training, which can teach students and professors not to click on suspicious links, is also crucial.
“There are modern defense systems that can be expensive, but would be important to protect information systems (for example, solutions that provide some kind of sandboxing capabilities and new endpoint defense agents)”, Kirda said in an email.
Anton Dahbura, executive director of Johns Hopkins University’s Information Security Institute, said universities should invest more time and effort in teaching cybersecurity, which can help inform students and staff on strategies they can use to combat attacks. He said universities should make cybersecurity a “top priority” if they haven’t already.
“Cybersecurity has become a discipline in recent years, and universities must adopt the discipline in order to reduce the number of vulnerabilities in its systems and keep hackers at bay,” Dahbura said in an email.
Faith Wardwell contributed reporting.