Higher education institutions are experiencing an increase in data breaches, according to a new study conducted by researchers at Application Security Inc. The research indicates that attackers are gaining access to personal information of students, faculty and alumni at an increasing rate.
University databases hold everything from students' Social Security numbers, credit card numbers and health care records, making them prime targets for cybercriminals. Since 2008, there were 158 university data breach incidents, and more than 2.3 million compromised records have been reported. The research was conducted by Application Security's Team SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) research group.
Alex Rothacker, manager of Team SHATTER, said there are two main reasons for such an increase in database breaches.
"There is more and more reporting of these breaches. Before they were not even detected or they were not reported as much," Rothacker said. "Then the general issue is the value of [personally identifiable] information, and the Internet is making it easier to get."
The amount of personally identifiable information (PII) in university databases is only one reason schools tend to be targeted by cybercriminals. In addition, the IT staff is often largely recruited from the student body, leading to less experienced teams and a higher turnover rate, Rothacker said. Malicious hackers see this as a weakness that can often be easily exploited.
Aside from the loss of sensitive information, the monetary cost of a breach "can be catastrophic," Rothacker said. The study, conducted with Milford, Mass.-based Enterprise Strategy Group, found that enterprises spend less that 4% of their IT budgets on database security.
The cost for updating system security would be considerably less than the cost of fixing a breached system, Rothacker said. The Ponemon Institute estimates that each record lost costs an organization $204. Based on Team SHATTER's findings, those breaches would cost higher education institutions more than $450 million.
To put this in perspective, earlier this year a university in Georgia reported a database breach in which the attackers gained access to 170,000 records. Based on Ponemon's cost per record breached, it would have cost the institute over $34 million to repair the system.
So how can an organization protect its database from a breach that could cost millions of dollars to fix? Rothacker says to be proactive. "Keep databases that have sensitive information in a separate network with tighter access controls than all the other databases and be really careful about who has access to that data and make sure those databases are always patched with all the latest patches and hidden behind the proper firewalls," said Rothaker.