Password Hygiene: A Prerequisite for Higher Education

In March of this year, the FBI issued a warning to colleges and universities that were increasingly targeted for ransomware. Despite these institutions’ best efforts, addressing cybersecurity concerns were overshadowed by more pronounced controversies around mask mandates, vaccines, and uncertainty around in-person vs. virtual learning.

Everyone was distracted and attackers took notice – they spent the first half of 2021 making education the hardest-hit sector, with ransomware accounting for 32% of attacks compared to 11% the previous year. On September 3, these efforts culminated in a high-profile ransomware attack on Howard University, an event perfectly timed to disrupt an already chaotic back-to-school rush.

Target-Rich Environments

Schools, colleges and universities are inevitably ground-zero for every cultural hot-button topic; gender, equality, diversity, and public safety tend to dominate. Cybersecurity, by nature, happens behind the scenes and is less visible to the core business of schools.

This is likely to change as hacking attempts on schools and universities have been increasingly common. These institutions hold a considerable amount of personally identifiable information (PII). That data contains information about professors, staff, donors and of course, students. More importantly, this data contains potentially damaging information, including medical history and disciplinary records, making them attractive targets for extortion.

    • In March, The Broward County School District in Fort Lauderdale, FL refused to pay a $40 million ransom demanded by the Conti ransomware group. In response, the hackers published 26,000 stolen files online.
    • The University of California San Francisco paid $1.14 million to attackers who encrypted and threatened to publish sensitive records stolen from the School of Medicine as they were working on a cure for COVID-19.
    • In the case of Howard University, a ransomware attack forced the University’s Enterprise Technology Services team to shut down its network and execute a “cyber day” where classes and services were closed to all.

In addition to PII, many large private colleges and universities have large endowments and donations that make them attractive to criminals. An attack on Blackbaud, a fundraising platform used by 45,000 U.S. universities, raised red flags over possible exposures of private donor data. Additionally, many university research projects contain research that could be interesting to ransomware groups backed by U.S. adversaries.

Making Cybersecurity an Educational Priority

While schools, colleges and universities all offer unique opportunities and payouts for attackers, the challenges for IT remain the same, albeit with slight nuances inherent to a student-first organization. Like any traditional enterprise, students and staff use school email accounts for personal use, often reusing passwords for those accounts on multiple sites. When they do, they make it easy for cybercriminals to get into not only the personal accounts but find their way into school accounts as well.

Knowing this, what can educational institutions do to minimize the threat? Obviously, data back-ups and additional layers of authentication (MFA) are critical, but they are not fail-safes. Humans, however, can be counted on to make mistakes and, in turn, provide the largest and most reliable breakdown of proper cyber defense protocols.

The University of Oklahoma, for example, found success when they honed in on remediating credential exposures for the 80,000+ active accounts in its network. Establishing a strict campus-wide password policy, students, faculty and staff are obligated to reset their passwords at least once a year with an eight-character minimum and complexity requirements. The same password cannot be reused for five cycles. Once good password habits were enforced, the school moved on to catching credential exposures and remediating them before they appeared on public forums.

If you get your password compromised in one place, you can bet it’s compromised everywhere you reuse passwords. We need users to understand the many dangers that are inherent with emails and passwords.

- Aaron Baillio, CISO at University of Oklahoma

Traditional enterprises already struggle to get adult users to be proactive about security, but higher education’s student user base poses an especially weak link in the security chain. According to the 2021 Verizon Data Breach Investigation Report, nearly 50% of all breaches in the education sector were social engineering attacks. Regardless, students need infinite access to the internet for homework, project research, and socializing – and they are definitely not worried about keeping the school’s network secure. But any learned behavior students acquire about cybersecurity today will only help them in their next professional chapter and beyond.

Learn how the University of Oklahoma remediated 1,000 exposed email accounts in less than 24 hours with SpyCloud.

Stop exposures from becoming account breaches.