Skip to content
ADVERTISEMENT
Sign In
  • Sections
    • News
    • Advice
    • The Review
  • Topics
    • Data
    • Diversity, Equity, & Inclusion
    • Finance & Operations
    • International
    • Leadership & Governance
    • Teaching & Learning
    • Scholarship & Research
    • Student Success
    • Technology
    • Transitions
    • The Workplace
  • Magazine
    • Current Issue
    • Special Issues
    • Podcast: College Matters from The Chronicle
  • Newsletters
  • Events
    • Virtual Events
    • Chronicle On-The-Road
    • Professional Development
  • Ask Chron
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Professional Development
    • Career Resources
    • Virtual Career Fair
  • More
  • Sections
    • News
    • Advice
    • The Review
  • Topics
    • Data
    • Diversity, Equity, & Inclusion
    • Finance & Operations
    • International
    • Leadership & Governance
    • Teaching & Learning
    • Scholarship & Research
    • Student Success
    • Technology
    • Transitions
    • The Workplace
  • Magazine
    • Current Issue
    • Special Issues
    • Podcast: College Matters from The Chronicle
  • Newsletters
  • Events
    • Virtual Events
    • Chronicle On-The-Road
    • Professional Development
  • Ask Chron
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Professional Development
    • Career Resources
    • Virtual Career Fair
    Upcoming Events:
    Student Housing
    Serving Higher Ed
    Chronicle Festival 2025
Sign In
News

Keeping Up With the Growing Threat to Data Security

By Lee Gardner April 9, 2017
If hackers get into a college’s network, they can gather terabytes of research data or emails to sift for possible profit. “It might take years to look at it,” says Mitchel Davis (right), chief information officer at Bowdoin College, “but they want to get hold of it.” Steven Blanc, associate chief information officer, says, “security is not something that IT does, it’s something the college does.”
If hackers get into a college’s network, they can gather terabytes of research data or emails to sift for possible profit. “It might take years to look at it,” says Mitchel Davis (right), chief information officer at Bowdoin College, “but they want to get hold of it.” Steven Blanc, associate chief information officer, says, “security is not something that IT does, it’s something the college does.” Heather Perry for The Chronicle

Last fall, Donald Trump theorized that the computer hacker who stole emails from the Democratic National Committee could have been “someone sitting on their bed that weighs 400 pounds.” But the stereotypical rogue nerd isn’t the threat that most concerns information-security officers on college campuses.

To continue reading for FREE, please sign in.

Sign In

Or subscribe now to read with unlimited access for as low as $10/month.

Don’t have an account? Sign up now.

A free account provides you access to a limited number of free articles each month, plus newsletters, job postings, salary data, and exclusive store discounts.

Sign Up

Last fall, Donald Trump theorized that the computer hacker who stole emails from the Democratic National Committee could have been “someone sitting on their bed that weighs 400 pounds.” But the stereotypical rogue nerd isn’t the threat that most concerns information-security officers on college campuses.

Their institutions are under constant attack, they say, by groups of criminal hackers who have professionalized, and industrialized, their efforts in the past few years. If the hackers find a tiny flaw in a college’s data-security apparatus — an unsecured server, a careless user — they can infiltrate its network, Hoover up any and all data they come across, and peddle the choice bits on the dark market — those shadowy corners of the internet where people go to buy and sell illicit goods anonymously. There have been thefts of politically sensitive data, as when hackers published hundreds of emails and documents in 2009 that raised questions about climate scientists’ impartiality, but almost all attacks have more mercenary motives.

Digital Campus cover with text
The Digital Campus: Big Data
Colleges want to track students and help them succeed, to find out what works in the classroom, and to measure professors’ productivity. Read a special report that unpacks what big data can and can’t do.
  • The Cost That Holds Back Ed-Tech Innovation
  • How Open E-Credentials Will Transform Higher Education
  • Big Data for Student Success Still Limited to Early Adopters
  • Big Data Alone Won’t Help Students
  • The Job-Market Moment of Digital Humanities

It’s an escalating battle that many colleges must fight with limited resources. And the stakes are high. A major breach can expose thousands of names and Social Security numbers, credit-card numbers, and other personal data that employees and students turn over to colleges all the time, leaving those affected vulnerable to identity theft. A breach at the University of California at Berkeley last year compromised the personal data of about 80,000 current and former employees and students.

An attack can also bring an institution’s computer network crashing down: In 2015, Rutgers University was hit with several “denial of service” attacks, in which a hacker flooded the institution’s network with data, temporarily crippling it. In the aftermath, the university budgeted about $3 million to improve its data security.

Colleges “have to be right every time” when it comes to securing data, says Brad Wheeler, vice president for information technology and chief information officer at Indiana University. “The bad guys can try 10,000 times, or 50,000 times. As long as they get it right once, they get a win. It’s a very, very asymmetrical game now.”

Groups of criminal hackers, many of them based overseas, have upgraded their tools and methods. “They’re using these almost weapons-grade hacking kits,” Mr. Wheeler says.

But even familiar modes of attack have grown in sophistication. “Phishing,” in which people receive an email designed to get them to give up passwords or financial information, has evolved past “a rich uncle in Nigeria who wants to wire you a million dollars,” he says, and now uses messages that look very legitimate: “They’re simple, they’re short, they’re often contextualized for something going on at the institution.” Indiana delivered 442 million emails to its users last year, and its countermeasures killed 2.1 billion emails before they entered its system.

The rise of big data has also abetted hackers’ efforts. A decade ago, a spreadsheet of Social Security numbers was “the holy grail” for hackers, says Ronald D. Kraemer, vice president and chief information and digital officer at the University of Notre Dame. Data that can be used for identity theft or to tap financial resources remain the primary targets, but in the past few years, “the analytics tools that people have available to them to sort through data and to figure out what the hidden gems are have just advanced so much,” he says. Personally identifiable information is still the most desirable, and lucrative, goal, but if hackers get into a college’s network they can gather terabytes of research data or emails to sift for possible profit. Most of the nonpersonal data will contain little or no information that can be leveraged, but it doesn’t matter.

“They just slurp it all up,” says Mitchel W. Davis, chief information officer and senior vice president at Bowdoin College. “It might take years to look at it, but they want to get hold of it.”

3 Types of Attacks Colleges Face

Phishing

These emails are designed to trick recipients into giving up their passwords or financial information, and they’re getting more sophisticated all the time. Phishing attempts that target students, faculty, and staff members these days may even mimic missives from within the institution itself. Hackers sometimes “draw on social media, look to see what’s going on at the institution, fabricate messages that appear to be legitimate, or even hack the account of someone that you would likely interact with,” says Brad Wheeler, vice president for information technology and chief information officer at Indiana University.

Ransomware

Click on the wrong link — even if it seems legitimate — and you might download malicious software that allows hackers to hold a machine or server hostage, along with its data. Many such attacks can be contained, but it’s important for victims to report attacks immediately so the damage can be dealt with. Mitchel W. Davis, chief information officer and senior vice president at Bowdoin College, says his institution has worked to encourage ransomware victims not to be embarrassed or worried about penalties: “We get calls very quickly if they realize that they may have made a mistake.”

Denial-of-service attacks

While relatively rare in higher education, these attacks can be devastating, as hackers flood an organization’s computer network with data, overwhelming it and blocking legitimate activity in the process. “That is a great concern,” Mr. Wheeler says. If someone doesn’t like something an institution is doing, or a former employee has a grievance, they can “rent a mercenary army to flood your network pipes and knock you offline.”

Large, relatively open computer networks with thousands of users help universities to perform their expansive missions, but they also make it difficult to defend against intrusion. Data security at a college over all is only as good as the security of each server, and of each individual user.

ADVERTISEMENT

Big attacks often start small. “Someone will hack a school, lab, or departmental-level server. Then they’ll look around sideways,” Mr. Wheeler says. “Then they’ll escalate their privileges on that server. Then they’ll start working up the food chain,” probing for deeper access, and more and more valuable information.

At Indiana, Mr. Wheeler and his staff have spent several years working on reducing potential intrusion points. About four years ago, a self-audit at Indiana revealed about 1,600 computer servers that Mr. Wheeler’s office didn’t even know about. Back then, only about 65 percent of servers on campus were contained within the university’s central data center, where they could be monitored by the best security the institution had on hand. Now about 90 percent are. “If we have fewer things to attack, and fewer things that we can focus more professional energy on securing them, we’re going to be better off than otherwise,” he says.

Many institutions are being more cautious about the information they keep on their networks. When it comes to data, Mr. Kraemer says, “if we have to have it, we encrypt it. If we don’t have to have it, we get rid of it. An organization becomes less of a target if you don’t have tens of thousands of Social Security numbers sitting in an unsecure system.”

More colleges are also moving toward requiring multifactor authentication, where a password and some additional information or item are required to gain access to its system. If you’re a hacker trying to get past it, “just stealing a password doesn’t help anymore,” Mr. Kraemer says.

ADVERTISEMENT

Notre Dame recently made multifactor authentication mandatory for all faculty, staff, and students, a move that involved a management as well as a technical challenge. Mr. Kraemer and his staff spent months talking to various groups on the campus about the security value of multifactor authentication, explaining that it would protect not only the university but also individuals from theft and fraud. Most people are already used to using multifactor authentication for accessing bank machines (a bank card and a PIN), he says. It seems like an unaccustomed step for computer access, but it shields their research and their finances.

Indeed, getting everyone on campus to keep computer security in mind can be as good as some technical backstop, and more affordable. When Bowdoin rolled out multifactor authentication about a year ago, the goal was not just to sell the new program, according to Steven A. Blanc, vice president and associate chief information officer. It was important to impart the idea that “security is not something that IT does, it’s something the college does,” he says.

There’s no reason to believe that hackers will become less skilled, or less persistent, in the future, so colleges will probably continue to face escalating data-security challenges.

The advent of cloud computing has afforded colleges new options for protecting their data, but it also creates potential new threats to security. Storing data in the cloud has helped institutions fend off ransomware attacks, in which malicious software allows hackers to hold data on a machine hostage. “If your data actually exists in multiple places, you can get back your data without having to go through the ransom process,” says Mr. Kraemer. But unless handled carefully, passing data back and forth between a university’s systems and the cloud is one of many processes hackers can exploit to compromise security. “Very few IT organizations in higher education have a clear understanding of what it takes to secure something that’s now part of your system but outside of your organization,” Mr. Davis says.

ADVERTISEMENT

Hiring data-security personnel with the necessary skills and experience has become increasingly difficult for colleges. Many institutions have started cybersecurity programs that are turning out graduates as fast as they can, but universities themselves are often looking for more senior employees.

“We’re looking for people who are seasoned in dealing with difficult situations,” says Darren Lacey, chief information-security officer and director of IT compliance at the Johns Hopkins University and Johns Hopkins Medicine. “It can be difficult for people to get into the field, even though there’s a shortage of people once you’re in.”

The shortage has driven up salaries for top information-security staff as well. A chief information-security officer at a typical college 10 years ago might have started at $75,000, Mr. Davis says. “Now? Double that.”

Despite scarce personnel and limited resources, Mr. Lacey thinks colleges do a good job over all at data security. Data-security professionals in higher education can communicate with peers at other institutions through a membership organization known as Ren-Isac, the Research and Education Networking Information Sharing and Analysis Center. Such networking helps keep even the smallest institutions up on the latest threats and protective tactics.

ADVERTISEMENT

Mr. Wheeler worries, though, that such collaborations may not be enough to stave off the growing threat. Even with an information-sharing apparatus in place, word of attacks still sometimes takes days to spread in an era where minutes can count. Each institution may draw on widespread best practices, but they’re all still reinventing the wheel. “We’re going to have to find a path among colleges and universities that gets to a greater degree of efficiency and operational effectiveness at scale, rather than thinking that each campus individually, one by one, can keep up,” he says.

But Mr. Kraemer believes it may be a good thing that colleges aren’t all dug in behind a unified cyberdefense. “The kinds of protections we’ve each put in place, the strategies we use, they’re not unique, but they’re not entirely in sync either, and I think that might actually be a good thing,” he says. “If everyone is doing the exact same thing, in some ways that makes us vulnerable.”

A version of this article appeared in the April 14, 2017, issue.
Read other items in The Digital Campus: Big Data.
We welcome your thoughts and questions about this article. Please email the editors or submit a letter for publication.
Share
  • Twitter
  • LinkedIn
  • Facebook
  • Email
Gardner_Lee.jpg
About the Author
Lee Gardner
Lee Gardner writes about the management of colleges and universities. Follow him on Twitter @_lee_g, or email him at lee.gardner@chronicle.com.
ADVERTISEMENT
ADVERTISEMENT

Related Content

Cybersecurity, Rising
Why a ‘Guerrilla Archiving’ Project Seeks to Preserve Climate Data Before Trump Takes Office
Data Breaches Put a Dent in Colleges’ Finances as Well as Reputations

More News

UCLA students, researchers and demonstrators rally during a "Kill the Cuts" protest against the Trump administration's funding cuts on research, health and higher education at the University of California Los Angeles (UCLA) in Los Angeles on April 8, 2025.
Scholarship & Research
Trump Proposed Slashing the National Science Foundation’s Budget. A Key Senate Committee Just Refused.
Illustration of a steamroller rolling over a colorful road and leaving gray asphalt in its wake.
Newly Updated
Oregon State U. Will End a Renowned Program That Aimed to Reduce Bias in Hiring
Dr. Gregory Washington, president of George Mason University.
Another probe
George Mason President Discriminated Against White People After George Floyd Protests, Justice Dept. Says
Protesters gather outside the Department of Education headquarters in Washington, D.C., on Feb. 14, 2025 to protest the Trump administrations cuts at the agency.
An Uncertain Future
The Education Dept. Got a Green Light to Shrink. Here Are 3 Questions About What’s Next.

From The Review

Photo-based illustration with repeated images of a student walking, in the pattern of a graph trending down, then up.
The Review | Opinion
7 Ways Community Colleges Can Boost Enrollment
By Bob Levey
Illustration of an ocean tide shaped like Donald Trump about to wash away sandcastles shaped like a college campus.
The Review | Essay
Why Universities Are So Powerless in Their Fight Against Trump
By Jason Owen-Smith
Photo-based illustration of a closeup of a pencil meshed with a circuit bosrd
The Review | Essay
How Are Students Really Using AI?
By Derek O'Connell

Upcoming Events

07-31-Turbulent-Workday_assets v2_Plain.png
Keeping Your Institution Moving Forward in Turbulent Times
Ascendium_Housing_Plain.png
What It Really Takes to Serve Students’ Basic Needs: Housing
Lead With Insight
  • Explore Content
    • Latest News
    • Newsletters
    • Letters
    • Free Reports and Guides
    • Professional Development
    • Events
    • Chronicle Store
    • Chronicle Intelligence
    • Jobs in Higher Education
    • Post a Job
  • Know The Chronicle
    • About Us
    • Vision, Mission, Values
    • DEI at The Chronicle
    • Write for Us
    • Work at The Chronicle
    • Our Reporting Process
    • Advertise With Us
    • Brand Studio
    • Accessibility Statement
  • Account and Access
    • Manage Your Account
    • Manage Newsletters
    • Individual Subscriptions
    • Group and Institutional Access
    • Subscription & Account FAQ
  • Get Support
    • Contact Us
    • Reprints & Permissions
    • User Agreement
    • Terms and Conditions
    • Privacy Policy
    • California Privacy Policy
    • Do Not Sell My Personal Information
1255 23rd Street, N.W. Washington, D.C. 20037
© 2025 The Chronicle of Higher Education
The Chronicle of Higher Education is academe’s most trusted resource for independent journalism, career development, and forward-looking intelligence. Our readers lead, teach, learn, and innovate with insights from The Chronicle.
Follow Us
  • twitter
  • instagram
  • youtube
  • facebook
  • linkedin