A fast-changing threat landscape is constantly evolving in higher education for Web, mobile, and API-based applications. In fact, new education sector statistics from NTT Application Security remind higher education’s IT professionals of the need to frequently analyze the overall state of security of their applications.
The group’s security research team examined the increasing number of edtech cyberthreats as institutions ramped up their online learning environments in response to the pandemic. Colleges and universities have seen a dramatic increase in ransomware and phishing attacks as they have moved more faculty-student instruction and interaction online.
The “Window of Exposure” metric that is used by the researchers represents the amount of time that an application has a serious vulnerability that can be exploited by data breaches. 53 percent of education apps have “at least one serious exploitable vulnerability open throughout the year.” Addressing the specific vulnerabilities is urgent as the skill level to discover and exploit the vulnerabilities is relatively low, making it easier for attackers to hack into and cause havoc in university networks.
What IT Teams Should Know
The top five areas of vulnerability identified over the last three months has remained constant:
- Information leakage
- Insufficient session expiration
- Cross site scripting
- Insufficient transport layer protection
- Content spoofing
According to the research, only 46 percent of critical vulnerabilities are ever fixed. Once an organization identifies the risk and takes action, it takes 202 days, on average, to fix the vulnerability. These two factors are the primary reasons that education apps are at a high level of breach exposure and present a critical challenge for institutions.
- The mix of vulnerabilities has remained constant over time, and the warnings are clear. Organizations open their door to attackers to deploy “educated, strategic measures against applications whose security measures go unchecked.”
- Reducing the amount of time required to fix critical vulnerabilities improves the “Window of Exposure” and improves the overall security situation of the ecosystem of apps.
More Concerns about Higher Ed Cybersecurity
Even before the pandemic, university networks attracted cyberattacks. The shift to remote learning increased potential security breaches beyond apps to other parts of the technology ecosystem. The following facts further support the urgency of addressing higher-ed security vulnerabilities:
- Three-quarters of all data breaches in education to date have been in higher ed.
- Data security is the second-largest liability for institutions.
- Nearly 90 percent of institutions don’t protect students and faculty from phishing attacks.
- Cyberattacks on universities increased 30 percent during July and August 2020.
- The average ransomware demand was $312,493 in 2020 and continues to increase.
App and network security are urgent and critical issues for university IT teams. Many schools are at higher risk than they know for data breaches and ransomware. In addition to closing the security gaps and improving app and network protection, universities need to develop appropriate data security training programs for IT staff, faculty, and students.