Why Is Education Under Attack?
Higher education is uniquely vulnerable to cyberattacks. In part, that is because colleges and universities are high-value targets. Universities conduct valuable research and have extensive databases of personal information, making them attractive targets for cybercriminals and state-sponsored actors. They are also highly vulnerable to disruption; a data breach leaves universities open to loss of valuable IP, reputational damage and regulatory repercussions. Malicious actors can also shut down university operations, leading to lost educational opportunities for students, frustration for faculty and staff, and substantial financial losses. Perhaps this is why nearly 75% of ransomware attacks on higher education institutions succeed.
But there are a host of other factors that create unique cybersecurity challenges for education.
- Open Environment: Higher education institutions traditionally champion open environments that promote academic freedom and the exchange of ideas. This philosophy can be in direct contrast with tight security controls, making campuses more vulnerable.
- Diverse and Transient User Base: Campuses have a vast and constantly changing population of users accessing their networks. This includes students, faculty, staff, researchers, visitors, and even alumni in some cases. Managing permissions and ensuring the cybersecurity awareness of such a diverse user base can be difficult.
- Broad Range of Devices: Students and staff often bring a multitude of personal devices onto campus, from laptops and smartphones to gaming consoles and smart TVs. This BYOD (Bring Your Own Device) culture increases the number of potential entry points for cyber threats.
- Complex IT Infrastructure: Universities often have a sprawling IT infrastructure, which includes legacy business systems, learning management systems (LMS), department-specific tools, and cutting-edge research equipment. Ensuring consistent security across such a diverse set of tools and platforms can be a challenge.
- Peer-to-Peer (P2P) Sharing: Campuses often see high volumes of P2P sharing, which can inadvertently open pathways for malicious software and create vulnerabilities.
- Resource Constraints: While universities often operate with large budgets, IT and cybersecurity might not always receive the priority or funding they need. The lack of specialized security personnel or outdated security systems can exacerbate vulnerabilities.
- Diverse Applications: In addition to digital access through campus-owned or personal devices, colleges and universities must also consider physical access to dorms, computer labs and other facilities as part of a total security solution.
Say Goodbye to Passwords for Digital Security
User authentication is one of the pillars of cybersecurity. It is critical to ensure that only authorized individuals have access to digital data, networks, systems and applications. User authentication, while not sufficient on its own, is the first step to protecting university systems from unauthorized intrusions. That includes authentication of users on shared workstations and devices as well as on personal devices that are allowed to connect to the university network.
Many colleges and universities still rely on password systems for user authentication. However, password-based authentication systems are highly vulnerable to cyberattacks and human error. They also create major headaches and extra work for IT when passwords are forgotten. For end users, password fatigue is a real problem—especially when they must remember passwords for multiple systems and applications.
Password systems create vulnerabilities in several ways.
- Poor password practices: To reduce password fatigue, many users reuse passwords across applications or choose simple, easily guessed passwords. This leaves accounts vulnerable to brute force attacks and credential stuffing.
- Password sharing: Users might share passwords with friends, family, or colleagues, which compromises the security of their accounts. Alternatively, passwords may be compromised by malicious observers in public areas.
- Phishing attacks: Users can be tricked into revealing their passwords to malicious actors through deceptive emails or fake websites.
- Keylogging: Malware can be used to record keystrokes, allowing malicious actors to capture passwords as users enter them.
- Password storage: If service providers don’t use proper methods to secure passwords (like hashing and salting), they risk exposing their users’ passwords in case of a data breach.
For all these reasons and more, passwords are not the most secure method of user authentication for digital applications. Increasingly, password systems are being replaced by secure authentication via an ID badge, mobile credential, or multifactor identification.
The Role of RFID and Mobile Authentication in Campus Cybersecurity
RFID (Radio-Frequency Identification) and mobile credentials offer several security and convenience advantages over traditional password-based systems. Both RFID and mobile credentials require a physical token (an RFID card or a mobile device) to be present for authentication. This introduces an additional layer of security, as an attacker would need the physical device, not just knowledge of a password. In most cases, the university can take advantage of the ID badge or mobile credentialing system already in place for physical access control (PAC) on campus, creating additional simplicity for users and university IT.
Here’s why more colleges and universities are switching to RFID and mobile credentialing systems for access to digital networks and applications.
- Security: Modern RFID cards and mobile credential systems utilize encryption, making unauthorized access or cloning more difficult. Since they don’t rely on memory like passwords, there’s less chance of user-related security breaches such as sharing credentials, writing them down, or using easily guessable passwords. They can also be combined with other authentication methods (like a PIN or biometric verification on a mobile device) for multifactor authentication.
- Simplicity: RFID and mobile authentication solve the password fatigue problem for users and eliminate password reset hassles for IT. These technologies support single sign-on (SSO) to campus networks and applications from shared workstations or even personal devices using a single ID badge or mobile credential for added user convenience.
- Loss Detection: It’s often easier to notice the loss of a physical object like an RFID card or a mobile device than a compromised password, leading to quicker remediation actions like deactivating the lost card. Users are less likely to share their card or phone, too.
- Protection Against Common Attacks: Phishing, keylogging, and similar cyber-attack methods are primarily designed to capture passwords and are not typically effective against RFID or mobile credential systems.
- All-in-one solution: RFID or smartphone-based credentialling can be used for both digital and physical access applications, including access to campus buildings, computer labs, libraries and dorms along with other amenities. A unified system is more convenient for users and simpler for IT to manage.
ELATEC is working with colleges and universities to implement secure, unified user authentication and access control systems for both physical and digital security. Our universal readers can accommodate both traditional student and faculty ID badges or mobile credentials, creating a simple and scalable solution that works for everyone.