As colleges and universities across the U.S. get ready to welcome new and returning students, they would be wise to do more to make sure some doors remain firmly shut. Cybercriminals are breaching the hallowed halls of learning at an alarming rate. One estimate shows that ransomware attacks alone doubled between 2019 and 2020. The situation has escalated to the point that the FBI issued an advisory notice earlier this year.
According to Verizon’s latest Data Breach Investigations Report (DBIR), education ranks in the top five industries for security incidents. What makes education in general, and universities and colleges in particular, such popular targets of attack?
Although high-profile ransomware attacks may garner the most attention, attacks on universities run the gamut. The Verizon DBIR found that 86% of attacks on educational institutions fall into one of three categories: social engineering and phishing, miscellaneous errors such as database misconfigurations, and system intrusion.
The porous perimeters that encourage collaboration and participation make university and college networks especially vulnerable to phishing and push attacks. These allow cybercriminals to steal sensitive information such as usernames, passwords and other unique identifiers that can be used in further attacks. In fact, credential attacks are the most common starting point for intrusions into higher education systems. Once inside, the attacker can move on to installing malware such as the ransomware that hit University of California, San Francisco.
In order to better protect their perimeter, many universities are deploying multi-factor authentication (MFA) to make sure only legitimate authorized users gain access. Those institutions that do business with the federal government will soon have no choice.
However, MFA initiatives bring their own set of problems. Traditional MFA generally includes passwords as one authentication factor, which is effectively single factor authentication because passwords have been compromised at scale. Some MFA approaches require two stronger authentication components but these can add friction to the login process and can still be compromised by clever phishing or push attack schemes.
The most efficient and secure way to prevent these breaches is to remove the most common entry point entirely. Passwordless multi-factor authentication (MFA) does not depend on passwords and centralized credentials.
Universities and colleges should consider providing students, faculty and researchers with a QR code login experience. It’s passwordless, multi-factor, and it prevents attacks that prey on push fatigue. A user simply logs into their SSO-managed web apps by scanning a QR code with the HYPR App or camera on their registered smartphone. It’s extremely easy for anyone to use and there are no credentials to compromise or exploit.
To learn how passwordless MFA delivers secure authentication for your higher-ed organization, contact us for a free demo.