We're continuing the second week in National Cybersecurity Awareness Month. For the previous posts (and other security articles we've posted) please see: www.newpaltz.edu/ncsam.
I wanted to discuss why we as individuals, or as students, faculty, or staff of the college, are so likely to be targeted by cybercriminals. A lot of people have asked me "why would anyone be trying to get into my accounts? I don't have any special access." or variations of that.
Why are individuals targeted?
Cybercriminals can be specific in who they target, or completely indiscriminate. Some cybercriminals will send the same sort of emails to thousands of people in the hopes of a few of them falling for their messages (by opening attachments, responding with sensitive info, etc.). Others will target specific businesses, or even specific individuals at businesses.
Even people who think they don't have anything worth targeting most likely have email accounts or social media accounts. The criminals can then use those accounts to further spread their reach. Some criminals even target elderly family members with claims about the health and safety of their grandchildren or other relatives (as an example, see the FCC's page about Grandparent Scams). Think of what your friends or family might do with an email that comes from you, but is really from a cybercriminal who has compromised your account?
Many others use online banking, including person-to-person payment services like Venmo. Think of what a cybercriminal could do if they compromised your bank or payment account.
Aside from getting access to your personal information/accounts, cybercriminals may use the access they gain from regular faculty, staff, and students, to get access to other systems at the college.
Why are colleges and universities targeted?
The number of attacks on colleges and universities is increasing. Nearly three-quarters (74%) of ransomware attacks on higher education institutions succeeded, as per a report from Sophos.
There's a perception (for some schools an accurate perception) that they are flush with cash and can easily pay ransoms to cybercriminals. Criminals believe that schools will pay to either restore access to their systems, or to prevent the criminals from releasing sensitive information to the public as an extortion tactic. This is why many schools, when faced with a ransomware attack, have paid the ransom (which sadly makes the criminals richer, better funded, and able to continue attacks on others).
As an example, the University of California, San Francisco (another state school like us) paid $1.14 million in a ransomware attack. The average remediation cost of a ransomware attack on a college is $1.42 million, and the average recovery time is long (over a month for 40% of impacted schools).
Colleges also have a wide range of systems available to their users (from on-campus and off-campus). There are a lot of potential ways colleges can be attacked.
What can we do about this?
We in Information Technology Services are doing all we can to protect the security of our systems, including the confidentiality of our student, employee, and donor data, as well as ensuring the availability of our systems. This gets easier when everyone in our college community is aware of the threats we and other colleges face.
There are some actions we as individuals can take to supplement the work we're doing here.
- Look over your personal accounts and see if you have MFA (Multifactor Authentication) enabled on them (as per the notice last week).
- Do you have a pin or passcode on your personal devices (phones, tablets, computers) in case they are lost or stolen?
- Do you keep your personal devices up-to-date?
Additionally, for faculty and staff, as well as college departments:
- Have you reviewed the files (paper and electronic) your department has? Do you have any documents or files that you are keeping which you no longer need, but have risk (for example paper or electronic files with sensitive information)?
Thank you all for your continued caution online!
References:
Inside HigherEd: Cybersecurity in Academic Research