Visit Modern Campus

Navigating the Changing Cybersecurity Landscape in Higher Education

Cybersecurity is a necessary and critical consideration for higher education, as they must protect large amounts of sensitive data. Institutions must therefore invest in the right resources and practices for them and be prepared to update them as needed.

Cybersecurity has become increasingly visible over the past decade. Regular stories of breaches, lost data, politically motivated attacks and more fill the media. Corporate boards and executives are more knowledgeable than ever about the costs and risks of cybersecurity. Higher education leadership is engaged now as well, many driven by problems at their institution or skyrocketing insurance costs. While higher education resembles other industries when it comes to cybersecurity, we have unique considerations.

The very things that make being on a college campus a wonderful experience also make it challenging to secure. Consider a typical day at a university: We welcome visitors to our campuses for athletics, performances and family events. Our researchers use highly specialized instruments to collect data from across the world and space in collaboration with other institutions, government, foundations and the private sector, and share their data broadly. Our residential students want personal experiences like gaming, and those who live off campus need to be able to connect to secure systems to do their homework using devices they own and manage. Faculty and staff work from anywhere—travelling teams, study abroad, field research and more. The University of Wisconsin–Madison has a presence in all 72 Wisconsin counties, across the U.S., plus research stations across the world—including Antarctica—so data is constantly flowing in and out of the university.

The sheer variety and complexity of opportunities UW–Madison provides help make it a world-class learning experience for our 50,000 students. But this variety and complexity also make cybersecurity challenging.

What University Leaders Should Know and Care About

Within the university, we hold private information about people: coursework and grades, payroll information, medical information and sometimes even classified research. We have a legal and ethical duty to protect this information. We also need the trust of our students’ and employees’ trust, and that trust comes with knowing that we will keep their personal information safe. Any data loss can damage that trust and degrade our reputation.

Leaders should also care because data breaches are expensive. A system compromised by ransomware or other types of breaches may be offline for days or weeks, causing substantial lost work time and additional costs to restore services and support those whose data was exposed. Some institutions have faced the choice of paying a ransom, not getting data back or, even worse, seeing their private data published publicly. These costs can quickly add up quickly.

University leaders should know that the nature of cybersecurity threats continues to shift. Criminals hack for a variety of reasons, including political agendas, to be disruptive to others and to make money. According to one study, your identity may go for $60 to $80 on the black market and credit card information from $20 to $75[1]. The average hack exposes 26,000 records, so a successful hack can net a criminal $500,000 to $2 million, and hackers can sell the same information more than once.[2] Moreover, a 2023 study by the CyberEdge Group showed that education has a significant problem: 79% of educational institutions reported they had been a victim of at least one successful attack in the past year.[3]

While the numbers may vary, the reality is this kind of payday incentivizes a lot of innovation among criminals, and they are succeeding in breaking into higher education systems. Hence, leaders should know that a strong, cybersecure landscape will take continual vigilance and ongoing investment to manage in this changing landscape. And while institutions can do some things behind the scenes to address increasing cybersecurity threats, leaders should expect that some new security measures will impact the devices people use and how they access university systems.

Cybersecurity in Practice

Many of our institutions have a history of autonomy in IT, particularly in research areas where there is so much variability of devices and complexity in the environments. Becoming a more cybersecure institution requires meeting standards and comprehensively monitoring and maintaining systems. This can be a cultural shift, and it takes time and effort, including from people who are mostly occupied with core research and teaching at the institution.

Let’s be realistic. While cybersecurity is important, it can be challenging to get busy people to make time for training and security tasks. However, individual behavior like clicking on phishing links or not updating software is a significant cause of security breaches, and one unsecured device can spread problems to others.

Leaders can ask a few questions to help improve their institution’s cybersecurity profile:

  • Does your institution require training, and does it focus on the right topics? For example, some phishing is obviously sketchy-looking, while others can be quite subtle, requiring a careful eye to detect the threat. Cybersecurity training that focuses on helping people spot a problem will lead to a savvier community.
  • Is your institution purchasing systems that are secure in addition to being easy to use and functional? Many of the popular productivity platforms for email, calendars, course management, administrative work and more have good security built in. If the best way for people to work is also the most secure way, you can improve the institution’s security posture without additional work and cost.
  • Do you know where the hot spots are? Leaders should ask for candid information about security vulnerabilities, so they understand what risks are present. They can then help the institution strike the right balance of acceptable risk, additional investment and policy changes.

There is no one-size-fits-all solution for cybersecurity. Being responsible stewards of institutional and personal data requires vigilance, flexibility and thoughtful application of authority. The good news is more leaders understand that cybersecurity is essential to the mission of their institution. So, while the cybersecurity landscape is always changing, engaged leaders can navigate safely by investing in the right tools and expertise and building a culture of security at their institutions.

[1] Pricing of Goods and Services on the Deep & Dark Web. Flashpoint.

[2] Cost of a Data Breach Report 2023. IBM Security.

[3] 2023 Cyberthreat Defense Report. CyberEdge Group.

Author Perspective: