University Exposure to Cyber Attacks Extends Goes Beyond Identity Theft and Fraud to Patents, Intellectual Property
Back in April we covered some the privacy exposures that educational facilities face, including employee fraud and on-line payment risks. Now, a recent article in the New York Times further puts the spotlight on the extent of the cyber exposure for universities and their professors, including when it comes to intellectual property and patents, such as in the fields of prescription drugs, computer chips, fuel cells, aircraft and medical devices.
Moreover, educational institutions often don’t learn of these data “break-ins” until much later, if ever and, even after discovering the breaches, they may not be able to tell what was taken. Tracy B. Mitrano, the director of information technology policy at Cornell University, said that detection was “probably our greatest area of concern, that the hackers’ ability to detect vulnerabilities and penetrate them without being detected has increased sharply.”
The largest number of attacks according to the Times article appear to originate from China, but in many cases it’s difficult to discern because hackers often route their penetration attempts through multiple computers and even multiple countries. And for most targets, the cost to determine the origin is costly. How serious is the problem? “We get 90,000 to 100,000 attempts per day, from China alone, to penetrate our system,” said Bill Mellon, the associate dean for research policy at the University of Wisconsin. “There are also a lot from Russia, and recently a lot from Vietnam, but it’s primarily China.” Other universities report a similar number of attacks and say the figure is doubling every few years. Furthermore, what worries them most is the growing sophistication of the assault.
Part of the vulnerability of a university’s increased exposure to hacking is its inherent openness and free flow of information, with researchers collaborating with others both inside and outside the facility, and sharing their discoveries. But, from a risk management view, universities have to rethink the basic structure of their computer networks and their open style, which is often met with resistance by school officials.
Taking Measures to Mitigate Risk
Some universities, however, are taking measures to try and mitigate some of the risks, including no longer allowing professors to take laptops (and in some cases cell phones) to certain countries. “There are some countries, including China, where the minute you connect to a network, everything will be copied, or something will be planted on your computer in hopes that you’ll take that computer back home and connect to your home network, and then they’re in there,” said James A. Lewis, a senior fellow at the Center for Strategic and International Studies, a policy group in Washington. “Academics aren’t used to thinking that way.” Other schools require that employees returning from abroad have their computers scrubbed by professionals.
What’s more, some school officials are beginning to house the most sensitive data in the equivalent of smaller vaults that are harder to access and harder to move within, using data encryption, and sometimes are not even connected to the larger campus network, particularly when the work involves dangerous pathogens or research that could turn into weapons systems. “It’s sort of the opposite of the corporate structure,” which is often tougher to enter but easier to navigate, said Paul Rivers, manager of system and network security at the University of California, Berkeley. “We treat the overall Berkeley network as just as hostile as the Internet outside.”
As these types of risks become more frequent and more severe, academia needs to look at additional IT spending and risk management protocols to help prevent breaches. At Caitlin-Morgan, we specialize in providing insurance and risk management programs to educational institutions and can help you address your client’s specific needs and exposures. Give us a call to discuss our programs further at 877.226.1027.
Source: NY Times