The nation’s top schools are at high risk for a security breach, according to a new report by BitSight Technologies. The report looked at security performance across college athletic conferences from July 2013-July 2014 and found that as a sector, higher education was at a greater risk for security breaches than either retail or healthcare.
“While not surprising given the unique challenges universities face securing open campus networks, it’s concerning to see that they are rating so far below other industries that we’ve seen plagued by recent security problems,” Stephen Boyer, co-founder and CTO of BitSight, said in a prepared statement.
The report found that most schools that rated highly on security employed a CISO or director of information security, demonstrating how crucial it is to have a top-down commitment to security.
The BitSight platform uses publicly available data to rate the security performance of organizations on a daily basis. Observed security events and configurations, such as communication with a botnet, malware distribution, and email server configuration, are assessed for severity, frequency and duration and used to generate objective Security Ratings that range from 250 to 900. Higher ratings equal higher security performance. Collegiate athletic conference ratings are calculated using a simple average of the Security Ratings of colleges and universities in each conference.
Key Findings:
Schools at the Bottom of the Draft
Colleges and universities are failing to adequately address security challenges, with the Security Ratings of athletic conferences averaging around 600. This is considerably below retail and healthcare, two other industries that have faced serious data breaches in the past year.
Blitzed by Malware
Higher education institutions experience high levels of malware infections, the most prevalent infection coming from the Flashback malware, which targets Apple computers. Other prominent malware include Ad-ware and Conficker.
Homecoming Challenges
Overall security performance declines significantly during the academic school year months of September to May. The conferences see an overall 30 point drop in Security Ratings. This is likely due to the influx of students and devices on campus networks.
Powerhouses have a Playbook
The schools included in our analysis with a Security Rating of 700 or above all have a dedicated CISO or Director of Information Security on staff. Such prioritization of information security is a key indicator of better security performance.