Universities, especially those with an emphasis on medicine, engineering, and other sciences, are a massive driving force for much of the leading research around the globe. As such, educational institutions, particularly those with advanced, prestigious, or otherwise notable research facilities, are popular targets for malicious activity. Making matters worse, many educational institutions fail to follow industry best practices for cyber security, including enforcing the use of Two Factor Authentication (2FA) and strong password requirements.
According to Verizon’s 2019 Data Breach Investigations Report, educational institutions are still struggling with how to deal with phishing, general email security, and ransomware threats, among others. The report also notes that institutions “that partner with private Silicon Valley companies, run policy institutes, or operate research centers are probably more likely to be a target of cyber-espionage than secondary school districts.”
These attackers can have a wide range of incentives, including seeking financial gain via selling personal information on the dark web, corporate espionage, ideology, or even just for fun.
A secure file exchange service can help mitigate many of the issues and help stave off any outsiders who may be trying to steal your research data. Here are 3 reasons why every university should use a secure file sharing service:
1. Misaddressed Emails are Still a Problem
It’s probably safe to assume that most people who regularly use email have misaddressed an email at least once in their life. Even if you haven’t, it still remains a very common source of data breaches. While most misaddressed emails are innocuous and contain no valuable or otherwise damaging information, when they do, the results can lead to extremely negative consequences, as an Ohio State Professor found out, or just downright embarrassment.
Unfortunately, educational institutions seem particularly prone to this issue. According to the Notifiable Data Breaches Quarterly Statistics Report issued May 2019 by the Australian government, there were 19 data breaches in the Australian education sector from January 1, 2019 to March 31, 2019. Of these, over half (10) breaches were caused by human error. From those 10 breaches caused by human error, 4 were caused by misaddressed emails. Another 4 were caused by unauthorized disclosure of information (by an unintended release or publication), which can include via email. A mistakenly attached file sent by a University of Virginia Law School official serves as a prime example of an unauthorized disclosure via unintended release.
The 4 breaches via misaddressed emails and the 4 breaches via unauthorized disclosure through unintended release or publication accounted for 80% of breaches caused by human error in the education sector in Australia. Put in other terms, simply avoiding the use of email could have prevented 80% of Australian education sector data breaches caused by human error in the first quarter of 2019.
2. Education is Prone to Phishing
Education is also a popular target for malicious attacks – schools have a plethora of personal and sometimes medical information on students and faculty that can be sold on the dark web for profit. For universities with research programs and/or tech industry connections, these threats are greatly increased as their research make them prime targets for corporate espionage, ideological attacks, or even just for fun.
The Verizon 2019 Data Breach Report indicates Web Application Attacks, such as breaching a cloud email server, were the second most common attack vector for malicious cyber attacks on US education sector organizations. They accounted for about 25% of all education sector breaches in 2018. The report goes on to say, “this is mostly due to the frequent compromise of cloud-based mail services via phishing links to phony login pages.”
Indeed, the Australian Notifiable Data Breach Quarterly Statistics Report corroborates this, noting that cyber incidents accounted for half of breaches from malicious attacks on the Australian education sector (4 of 8 malicious attacks, or 4 of all 19 breaches). Of these “cyber incidents”, all of them involved compromised credentials, including via phishing.
3. Security Standards Lagging Behind
The Verizon 2019 Data Breach Report indicates that many of the breaches in the US education sector are a result of, “poor security hygiene and a lack of attention to detail.” They go on to say a baseline method to enhance security and reduce human error is to establish 2FA on internet-facing assets like email and other web servers, such as those hosting web applications and services.
Improving security standards has been a challenge in education as there is a lot of autonomy in the education sector, especially in universities. Public universities may have rules set by their respective state, and private schools need to follow applicable law, however as evidenced by the pervasive lack of 2FA enforcement at many institutions, there is clearly some variance between university practices.
Enforcing 2FA in of itself can be challenging as many programs and services do not require it by default. Company and university policies may require it, but actually enforcing compliance can prove to be challenging as it typically requires auditing all users to see if they have 2FA set up, then following up individually with those that do not. Even if users in violation of university security policies are discovered, there may be resistance due to any number of factors including hesitation to leverage new technology, a resistance to changing established security practices, or they just downright ignore or refuse the request to set up better security.
Portable Storage Devices
Data is also frequently being shared via portable storage devices such as USB keys. Universities and other educational institutions lean on portable storage devices in an effort to solve for both compliance and security concerns. They know sharing research data via email or the internet is risky, as email is inherently insecure. File sharing services are also often avoided as they commonly have limited security controls, have been a popular target for attackers, and even are used as a way to phish credentials. The drawback of using portable storage devices is that they are often small and are relatively easy to lose or steal. Indeed, in spite of the effort to securely store data, the Australian Notifiable Data Breach Report notes another 3 of the breaches were caused by lost or stolen storage devices.
The Solution: XM SendSecure
XM SendSecure helps solve for these problems with one simple, secure, and easy to use solution. It combines the ease of use of email with a secure file sharing service that has a detailed audit trail, mandatory 2FA, and greater security controls. Going beyond just encrypting data in transit and at rest, XM SendSecure makes securely exchanging files as simple as sending an email, as users can create a secure file sharing SafeBox right from Microsoft Outlook.
The 2FA feature leverages known contact information from your Outlook or other address book, helping to ensure both that the link to the SafeBox is emailed to the correct person and that only the intended recipients can access it. XM SendSecure also features multi-function printer (MFP) connectors that enable users to quickly create and share a SafeBox from their MFP. It also features mobile (iOS and Android) and web apps, making it versatile and easy to use on the go.
For added protection that is especially valuable for sharing sensitive research data, XM SendSecure also features ephemeral storage. This storage is designed to automatically delete its contents on a set expiration date. This is valuable for university research facilities as it reduces undue risk from old files remaining in a shared folder past when is necessary.
Going back to the Australian Notifiable Data Breach Report, of the 19 Australian education sector notifiable data breaches:
- 4 were caused by misaddressed emails
- 4 by unauthorized disclosure via unintended release
- 4 were the result of malicious attacks compromising (phishing) credentials
- 3 were caused by a lost or stolen storage device
In other words, up to 15 out of 19 (or nearly 80%) Australian education sector data breaches in the first quarter of 2019 could have been prevented by using XM SendSecure.
Up to nearly 80% of Australian education sector data breaches
from January 1 to March 31, 2019 could have been prevented by using XM SendSecure
It also features a detailed audit report that can help disincentivize bad actors from leaking information, keep users accountable, and provide records in the event of a compliance audit. The SafeBox activity logs can be viewed any time the SafeBox is still open. When the expiration date passes, a final audit report is generated for the SafeBox creator. The final report contains detailed information on every user invited to collaborate and all of their interactions with the SafeBox. XM SendSecure even logs download completion percentages, which can be used to ensure those that downloaded a given file received the complete file.
University and other research facilities don’t need to use risky methods to share research data. Learn how XMedius and our suite of secure, cost effective, and easy to use solutions like XM SendSecure can help reduce risk of a data breach from human error while supporting your secure file sharing needs.