Universities react to cyber attacks

Like other schools nationwide, the University is reviewing its information security programs and making adjustments.

Blair Emerson

Incidents of cybercrime and data breaches have jumped in recent years — and higher education institutions like the University of Minnesota are responding.

High-profile data breaches have hit several college campuses in recent years. And although they aren’t hackers’ top targets, some institutions, including the University, are evaluating their information security programs and determining how to minimize future breaches.

The University’s information technology employees have presented to the Board of Regents for months, describing the network and efforts to protect the school’s information.

For example, current policies require computers connected to the University network to have virus and malware protection software. Also, University community members can store the institution’s private data only on school networks unless they get prior approval to store it elsewhere.

Despite these measures, the University faced 29 data breaches last year that resulted in the loss of more than 3,800 personal records.

Other higher education institutions have experienced breaches that were far more severe and led to the exposure of hundreds of thousands of records.

In February, a system breach at Indiana University uncovered the personal information of 146,000 students and recent graduates from across seven campuses.

In that same month, the University of Maryland fell victim to a breach that leaked more than 287,000 records of students, alumni, staff and faculty members.

At Indiana University, the majority of breaches are simply instances of security holes where outsiders could have accessed information, rather than planned attacks, said Mark Bruhn, the school’s associate vice president for public safety and institutional assurance.

He said administrators and staff members are implementing new policies, like reducing the amount of technology departments use, to mitigate possible breaches.

“Instead of eliminate, we’re trying to minimize the chances of those things happening here,” Bruhn said.

As technology evolves and cybercrime becomes more advanced, protecting information has become a pressing issue, said Lillian Ablon, a researcher at RAND Corporation, a global policy think tank.

“We’re coming to this world where it’s not just computers connected to servers, but we have this world of devices,” she said. “That offers a greater attack landscape for potential attackers to go in through.”

A recent RAND report shows that many cyber criminals target retail companies and financial institutions to collect credit card information and other information that can be easily monetized.

But at higher education institutions, cyber criminals typically go after personal information, rather than that of credit cards, Ablon said.

“When a university has been breached,” she said, “it is not so much a case of them being targeted, [but] more of a case of they happen to be insecure or be less secure.”

Still, University of Minnesota officials are taking extra measures to address information security and have formed several new policies.

To get an outside perspective, they’ve scheduled an external review of the school’s information security program that will offer recommendations on how to improve. Regents will discuss the findings at a May committee meeting.

“This is an issue that the entire community is discussing,” said Brian Dahlin, the University’s chief information security officer.

To ensure that these new policies are properly implemented and that the University community is aware of them, officials formed a group of staff, faculty members and administrators — called the Information Security Formal Community of Practice — to tackle information security and other issues.

“With a topic like security, that’s a responsibility that we all share, and we all should be concerned about our information and data security,” said Gabe Garlets, University Services IT director and member of the group.