Malicious cyberattacks are a fact of life and a constant challenge for every organization today. As The Economist noted in a 2013 article, “Computer Hacking: A Byte for a Byte,” “Security experts like to say that there are now two types of companies: those that know they have been hacked and those that have been hacked without realizing it.” In 2013, when the University of Delaware suffered its first large-scale security breach, it collated information on cyberattacks at two dozen colleges and universities as reported in news-media accounts. The number of persons affected by breaches during a three-year period ending in 2013 ranged from a low of 3,300 to a high of 760,000 and averaged about 150,000. The prevalence and disruptive impact of cyberattacks have only grown since then.
College and university computer systems are particularly inviting targets for hackers, for three reasons. First, institutional servers typically contain intellectual property of considerable scientific and commercial worth. “Universities and their professors are awarded thousands of patents each year, some with vast potential value, in fields as disparate as prescription drugs, computer chips, fuel cells, aircraft and medical device,” notes Richard Pérez-Peña, in “Universities Face a Rising Barrage of Cyberattacks” in the New York Times (July 16, 2013). On top of that, it might come as something of a revelation to the average board member to learn how much data colleges and universities also gather on students who apply and attend their institutions.
Second, in pronounced contrast to for-profit corporations, which tend to operate proprietary systems with carefully controlled access and layers of protective firewalls, college and university computer systems embrace access, including access by some users who demand it from all points at all times with a minimum of security interference. Computer systems operated by colleges and universities are managed in an extraordinarily decentralized fashion, are notoriously difficult to secure, are prone to cyberattack, and—in a mutually reinforcing cycle—are known to be prone to attack, which increases their visibility as targets.
Finally, the cost of top-notch cyberprotection can be prohibitively high, and many university information technology departments lack the resources necessary to keep their systems updated. University IT departments tend to use hundreds or even thousands of software programs and platforms, many procured from large, national vendors. Those platforms must be updated or “patched” constantly as data security experts identify new vulnerabilities. When patch announcements are posted on vendor web sites, hackers almost instantaneously get to work attacking vulnerabilities. If there is a delay—even one measured in seconds or minutes—in downloading and installing the latest patch, serious security vulnerability can be created.
When a breach occurs, the affected institution can incur millions of dollars in remediation costs for consultants’ services, repairs, preventive actions, and system fixes. Insurance protection against cyber breaches tends to be expensive and insurance portfolios at most institutions do not include it.
Given the prevalence of such attacks, the virtual impossibility of protecting against them, their potentially destructive impact on ongoing business operations, and the unavailability of traditional insurance products to protect against the financial consequences of a security breach, cyberattacks will continue to pose significant business, operational and legal risks.
Steps for Boards
What specifically should the board do? First and most important, the board or the appropriate standing committee of the board should solicit a report from the chief technology officer addressing breaches that have occurred to date, the institution’s response to those breaches, and the preventive steps the institution has taken to protect against future breaches. Campus officials should ask whether the cost of insurance coverage (which may finally be starting to come down in some geographic markets) is affordable and whether reasonably priced insurance provides adequate levels of protection. And the board should assess whether the cybersecurity function—which literally did not exist on many campuses five years ago—is sufficiently staffed, is supported by an adequate institutional budget, and profits from appropriate campus visibility.