Following the recent PowerSchool breach, it’s never been clearer that education institutions, just like any business or organization, need to pay careful attention to their cybersecurity posture and that of the third parties they work with. But PowerSchool isn’t the only major incident that has brought this issue to the forefront. In fact, just this past year, institutions like Texas Tech, New Mexico Highlands University, and New Jersey City University have all fallen victim to ransomware, proving that cybercriminals are turning up the heat on targeting the education industry.

The reality is this trend won’t stop unless education providers take action. As it stands, cybercriminals see schools as an easy path to success with a low barrier to entry. Higher education institutions are tasked with safeguarding and storing the sensitive, high-value data of their students and staff — from cutting-edge academic research to social security numbers, and everything in between. Simultaneously, few institutions are fully equipped with the proper capabilities or technologies to protect such critical information, often running on outdated, legacy systems due to strapped IT budgets and resources. If nothing changes, we’ll likely continue to see cyberattacks hamper the higher education sector.

Higher education needs to recognize that cyberattacks have become inevitable, and it’s time to prepare accordingly. Here are six steps these “target rich, cyber poor” institutions can take to help defend against emerging cyber threats:

Implement multi-factor authentication

Between a variety of different users, organizationally-owned devices, and the personal devices accessing shared networks and databases, higher education institutions have millions of endpoints and, consequently, millions of opportunities for attackers to break through inadequately equipped defenses.

As organizations look to bolster security, multi-factor authentication (MFA) is no longer a nice-to-have, but a necessity — and it's an easy initial step to fortify defenses. MFA ensures better protection for networks, data and users, all at a low to no cost. As one of the core cybersecurity basics, organizations that haven’t yet implemented MFA are already behind. 

Regularly update and patch systems

Plagued by strained IT budgets, higher education institutions often lack the latest technologies as part of their defense against attacks. This in turn means they must prioritize keeping their legacy systems regularly updated, especially after software providers announce major updates or patches to any vulnerabilities. 

For example, last year, the University System of Georgia, which oversees 26 higher education institutions in the state, confirmed that it was the victim of an attack on its systems affecting the data of 800,000 people due to a flaw in Progress Software’s MOVEit MFT tool. Common tools like this are often exploited due to popularity, so it’s important to ensure these technologies are updated and patches are implemented in a timely manner. Even a small wait in between updates can provide cybercriminals with an open door to sensitive information. It’s high time the education industry locks the door and throws away the key.

Conduct regular security audits

As threats rapidly evolve, higher education institutions need to stay on top of how these developments impact the security processes, tools, and measures they already have in place. Conducting regular audits to assess, identify, and reduce potential weaknesses or vulnerabilities allows organizations to keep abreast of where they need to tighten defenses or create change to reduce threats. 

A robust security audit should include risk assessments, compliance audits, vulnerability assessments, penetration testing, access controls, process audits, policy reviews, incident response evaluations, and information privacy reviews — at least to start. Incorporating these elements and running audits on a routine basis not only allows for better prevention but prepares organizations to more quickly and easily address security problems and introduce faster, more comprehensive solutions.

Educate staff and students 

With so many endpoints come many users responsible for helping maintain their security. Higher education institutions are particularly susceptible to threats like phishing and ransomware, which target users ill-equipped for proactive prevention, threat identification, or even quick response.

Educating those users — largely students and faculty — to understand what a threat may look like, how to handle it, and what to do should they find themselves in a situation where they think they’ve let through an attacker minimizes the threat landscape while increasing the number of eyes on the lookout for potential problems.

Institutions with an eye on cybersecurity can implement required, relevant training as part of a student’s annual curriculum and their faculty’s ongoing development or compliance requirements. To keep training fresh, regular email reminders and quizzes can also be distributed throughout the year. Educating users on how to identify potential threats and use proper security procedures can turn vulnerable endpoint owners into a better defense against attacks.

Have a response plan

Organizations must understand that cyberattacks aren’t a possibility, but an inevitability, and should be fully prepared to address one when it happens. Creating a comprehensive response plan in advance can help cybersecurity teams move quickly in the event of a breach to ensure minimal damage. These plans should detail how the institution identifies an incident, contains it, and then takes the proper measures to recover from losses as well as report the response as necessary to stay compliant.

Strong response plans aren’t only the responsibility of an organization’s cybersecurity team. These plans require buy-in from a variety of stakeholders, including those involved in legal, IT, communications, and relevant academic departments, to ensure data is well-protected and threats are well-covered in the event of an attack. Forming a dedicated incident response team ensures nothing slips through the cracks during any stage of response.

Collaborate with cybersecurity experts

Although comprehensive cybersecurity requires effort across a variety of teams, leaders, users, and experts, it’s still vital for higher education institutions to cooperate and learn from those with a technical background who know the ins and outs of it best. Cybersecurity experts are just that — experts — for a reason. 

In addition to using consultants, hiring teams and team members with technical expertise and cybersecurity backgrounds can help organizations bolster their defenses, stay up-to-date on the latest industry trends and technology, and tighten defenses against potential threats or risks. Additionally, these consultants can share learnings from others in the cybersecurity space to increase an institution’s leaders’ and security teams’ knowledge about current and future threats.

Better protection means starting today

Between a growing threat landscape, lack of budget for cybersecurity, and outdated systems and processes, the higher education industry is a hotbed for expensive, damaging cybercrime. However, prevention is a key element of the cure, and the above measures allow institutions to better protect themselves against motivated cybercriminals. It’s time for higher education to start acing cybersecurity, empowering students and staff to operate with confidence in today’s digital world.