Higher Ed Needs Smarter Authentication Strategies

As colleges and universities across the U.S. get ready to welcome new and returning students, they would be wise to do more to make sure some doors remain firmly shut. Cybercriminals are breaching the hallowed halls of learning at an alarming rate. One estimate shows that ransomware attacks alone doubled between 2019 and 2020. The situation has escalated to the point that the FBI issued an advisory notice earlier this year.

Why Are Cybercriminals Targeting Higher Education?

According to Verizon’s latest Data Breach Investigations Report (DBIR), education ranks in the top five industries for security incidents. What makes education in general, and universities and colleges in particular, such popular targets of attack?

• PII and other Valuable Information: Universities and colleges collect and store massive amounts of information on their students, faculty and staff. This data includes social security numbers, banking information, health records and other sensitive information that criminals can share and sell on the dark web. Health records alone can net up to $1K each.
• Universities Are Vulnerable to Cyber Extortion: Attackers hold sensitive information or websites captive to  pressure universities and colleges into paying a ransom. The University of California, San Francisco, coughed up more than one million dollars last year after hackers encrypted and threatened to publish information stolen from the institution’s School of Medicine. The University of Utah paid nearly half a million dollars to protect student data in a similar attack. Cybercriminals know that most universities hold cyber insurance policies that cover such events.
• Intellectual Property and Research Data: Critical research and intellectual property — including military research — often springs from university labs. Last year, Chinese hackers attacked MIT as well as 27 other universities to steal classified military research.
• Universities and Colleges Are Easy Hacking Targets: Higher education institutions are built on the idea of encouraging collaboration and ease of use, so they keep networks relatively open. It’s difficult to balance open, accessible learning spaces and security. With the COVID-19 pandemic faculty members and students have become accustomed to remote learning — all from a variety of devices — making securing college systems and data more difficult than ever.

Common Types of Attacks on Higher Ed

Although high-profile ransomware attacks may garner the most attention, attacks on universities run the gamut. The Verizon DBIR found that 86% of attacks on educational institutions fall into one of three categories: social engineering and phishing, miscellaneous errors such as database misconfigurations, and system intrusion.

The porous perimeters that encourage collaboration and participation make university and college networks especially vulnerable to phishing and push attacks. These allow cybercriminals to steal sensitive information such as usernames, passwords and other unique identifiers that can be used in further attacks. In fact, credential attacks are the most common starting point for intrusions into higher education systems. Once inside, the attacker can move on to installing malware such as the ransomware that hit University of California, San Francisco.

Passwordless MFA Gets the Highest Grade to Secure Higher-Ed Authentication

In order to better protect their perimeter, many universities are deploying multi-factor authentication (MFA) to make sure only legitimate authorized users gain access. Those institutions that do business with the federal government will soon have no choice.

However, MFA initiatives bring their own set of problems. Traditional MFA generally includes passwords as one authentication factor, which is effectively single factor authentication because passwords have been compromised at scale. Some MFA approaches require two stronger authentication components but these can add friction to the login process and can still be compromised by clever phishing or push attack schemes.

The most efficient and secure way to prevent these breaches is to remove the most common entry point entirely. Passwordless multi-factor authentication (MFA) does not depend on passwords and centralized credentials.

Universities and colleges should consider providing students, faculty and researchers with a QR code login experience. It’s passwordless, multi-factor, and it prevents attacks that prey on push fatigue. A user simply logs into their SSO-managed web apps by scanning a QR code with the HYPR App or camera on their registered smartphone. It’s extremely easy for anyone to use and there are no credentials to compromise or exploit.

To learn how passwordless MFA delivers secure authentication for your higher-ed organization, contact us for a free demo.