Venminder Blog

TPRM and Higher Education: Why Hackers Want Student Data

Written by Venminder Experts | Apr 5, 2023 5:00:00 AM

The higher education (higher ed) sector has become a prime target for cybercriminals, and cyberattacks are on the rise. Almost 64% of higher ed institutions were hit by ransomware and cyberattacks in 2022. By comparison, 44% of higher ed institutions reported cyberattacks in 2021. Several data breaches at higher ed institutions occurred at the third-party vendor level. And it was platforms hosting online learning systems that were particularly vulnerable. 

Why Higher Education Has Become a Prime Target for Cyber Crime

The administrators of several higher ed institutions, especially those without mature third-party risk management (TPRM) programs, are left with many questions about how and why higher ed has become a prime target for cybercriminals. 

Some of the main reasons cybercriminals target higher ed institutions are:

  1. Security issues. A 2018 report by Security Scorecard ranked education last in cybersecurity of all other industries surveyed. Most colleges, particularly public ones, can’t maintain adequate budgets for IT security. Many also lack formal third-party risk management programs which can identify and mitigate potential risks before they become a problem.
  2. Open networks and lots of apps. It's common for departments to buy their own systems and apps. Many systems and app vendors don't complete a central vetting process or security screening. Security screenings, if they exist, are often limited to cloud-based providers.
  3. Students are easy targets. Colleges welcome new students each year. With such a large population, it’s difficult for them to provide comprehensive cyber education. Many people lack experience in cybersecurity and are susceptible to common forms of hacking, such as phishing, social engineering, website spoofing, and password theft. 
  4. Unregulated devices are prevalent on college campuses. Almost everyone has a laptop, desktop, phone, or tablet. Every unregulated device connecting to the network creates a new opportunity for hackers.
  5. Open campuses. You can't find a better environment for social engineering, tailgating, or man-in-the-middle attacks than a college campus. Visitors can sometimes enter undetected, plant USBs, intercept traffic, or enter labs and research areas.

Why Student Data Is Vulnerable 

Students often have new credit histories and limited work and residence history making them the perfect targets for identity theft, and university databases are treasure troves for hackers due to the wealth of information they contain. Enrolling students provide their name, address, phone number, date of birth, credit card numbers, social security number, driver's license number, bank account information, and sometimes even their medical records. Hackers can use stolen personal information to open bank and credit card accounts, get fraudulent identification, and engage in various scams and money laundering. 

Cybercriminals frequently target .edu and .org addresses since they’re perceived as more trustworthy than .com addresses – especially within university networks. It's amazing how often attackers successfully trick people into revealing sensitive information or installing malicious software on their computers and networks. Students, professors, and staff are unlikely to question an attachment that appears to have been sent by a colleague or administrator.

Here are example scenarios of recent phishing emails to student and staff accounts:

  • Emails appearing to come from a legitimate university account asking students to "Verify the Identity of Your Account."
  • Emails to parents, supposedly from the financial aid department, requesting bank details to deposit a student grant their child had been awarded. 
  • A scam offering students $300 to participate in a university study. Once personal information was provided, students were sent a fake check for $600 and told to keep $300 and transfer the rest into another account. The checks ultimately bounced after the students had transferred the money.

Mundane personal information can also be extremely useful for hackers hoping to impersonate friends or family members as part of a phishing attack. According to a Proofpoint 2022 survey , over 30% of users in the education sector have fallen victim to phishing scams posing as corporate communications, which is double the rate of the general population.

Protecting Student Data With Third-Party Risk Management 

While many higher ed data breaches occurred with third-party online learning platform providers, the need for TPRM does not stop with cloud-based services. Institutions seek to cut administrative costs by contracting with third parties to provide services. That means there is an increase in vendors who have potential access to personal data, including student health services, student housing, and food services, to name a few. Institutions that neglect to implement robust third-party risk management practices play a dangerous and often losing game of cybersecurity roulette.

This is why proper TPRM is needed to protect institutions’ and students’ data. Here are some benefits third-party risk management can bring to the higher education industry: 

  • Manage vendors appropriately. When TPRM practices are effectively implemented throughout an organization, all vendors can be evaluated for risk and managed appropriately. This includes activities such as re-assessments and ongoing monitoring to ensure that organizations are protected from new and evolving risks.
  • Prioritize vendor scrutiny based on the risk posed. A risk-based TPRM approach allows for higher-risk vendor relationships to be prioritized and managed with more scrutiny. For example, vendors that store sensitive data about financial aid would undergo more rigorous monitoring than a vendor that provides custodial services. 
  • Review vendor controls. TPRM practices, such as vendor risk assessments and due diligence reviews, proactively identify those vendors with insufficient controls, such as  cybersecurity practices that are too relaxed and substandard privacy protections.

Institutions should take inventory of all third-party providers and create policies and procedures to ensure that all vendors are evaluated for risk. Colleges and universities must establish robust third-party vendor management programs to protect their students' data and prevent cyberattacks.
View full post