April 1, 2025
Cybercrime cost the world $8.4 trillion in 2022. In 2027, that number is predicted to hit over $23 trillion. Cybercrime has affected organizations of every size in every industry. And while financial institutions are some of a cybercriminal’s favorite targets, their biggest prize is the sensitive data of large numbers of people … social security numbers, phone numbers, birthdays, user names, passwords, last known addresses, as well as financial information.
With that information, a cybercriminal could take out a loan or open a new credit account in your name, file fraudulent insurance claims or tax returns, and skim funds from your bank account each month. And good news for criminals — not only is that the information schools, colleges, and universities have, but it’s also likely to be easy to get. So in this blog, I’ll explore the unique cybersecurity problems that colleges and universities face and how to protect sensitive data on a budget.
The Top 3 Higher Education Cybersecurity Problems in 2025
Here are a few reasons why colleges and universities, in many ways, have a tougher road ahead of them when it comes to securing systems and data. But just like any other organization, cybersecurity basics go a long, long way. And none of these problems are without effective solutions.
1. Your Attack Surface Is Huge
When we say “attack surface” in cybersecurity, we basically mean any entry points into a system that a hacker could potentially exploit. Here’s why colleges and universities have so many:
- They typically have decentralized and diverse IT environments with inconsistent tools and security practices
- Students and staff need to access online tools and resources through personal devices
- Student populations turn over each year, requiring constant identity management
How To Solve the Problem
This problem isn’t new, and cybersecurity experts and organizations have come up with highly effective solutions. Interestingly enough, many of these techniques echo physical security strategies that were just as effective in Medieval castles.
Here’s how to bring large attack surfaces down to size:
- Moving away from focusing entirely on perimeter-based security toward more complex zero trust architecture, so even if a hacker gets inside, sensitive data remains protected
- Implement micro-segmentation, where critical systems, research networks, and sensitive information are isolated
- Create institution-wide security policies that can accommodate unique departmental needs
- Implement strong user authentication, especially for high-risk systems and accounts
- Conduct regular security audits
- Create a thorough and well-tested incident response plan
- Offer engaging security awareness training to transform your staff from a cybersecurity liability into a powerful line of defense
2. You May Have Open Remote Desktop Protocols (RDPs)
23% of the top 500 universities have at least one open RDP. RDPs allow faculty and staff often to access specialized software and information remotely, but they aren’t very secure. When you add outdated software, decentralized IT, limited cybersecurity resources, and a high priority on convenience to the mix, it’s a dream come true for hackers interested in carrying out data breaches and ransomware attacks.
In fact, recently, RDP abuse was associated with 65% of ransomware cases and was often used to attack the same victim multiple times.
How To Solve the Problem
Being able to access sophisticated systems from anywhere without increasing risk is a challenge, but it’s a problem that has several tried and true solutions. In addition to the recommendations I provided earlier, here are your options:
- Pairing VPNs with multifactor authentication
- Remote desktop gateways that broker connections securely
3. You Have a Lot of Vendors
Every vendor that has access to your physical location, data, or systems represents a risk. Colleges and universities tend to have a lot of them. And considering the fact that 98% of organizations have at least one third-party vendor that has suffered a data breach, it’s not a risk you can ignore.
How To Solve the Problem
Vendor due diligence is a must in 2025. In the same way you’d require, let’s say, a cleaning company to do background checks on everyone who has access to your facilities, it’s time to look into the cybersecurity practices of other organizations that have access to your systems or data.
Do they require multifactor authentication for all users on all sensitive accounts? Do they have cybersecurity insurance? Is their security strategy in line with a publicly available information security standard? If not, it might be time to reconsider the relationship. In 2025, more businesses that provide services to other organizations are becoming aware that their cybersecurity is now tied to their ability to attract and retain clients. So, even if you haven’t made these types of inquiries, they shouldn’t come as a surprise. And if they do, or a vendor reacts defensively, that’s a giant red flag.
Higher Education Cybersecurity News To Get Stakeholders On Board
Need to free up additional budget to make some of these upgrades? Here are a few recent headlines to help you get what you need.
University of Manchester Ransomware Attack (June 2023)
A sophisticated ransomware operation ended in the theft of personally identifiable information belonging to faculty, staff, students, and alumni, including the health records of approximately 1.1 million National Health Service patients. These records, held by the university for research purposes, included sensitive medical information about major trauma patients and victims of terror attacks.
Michigan State University NetWalker Ransomware Incident (May 2020)
This attack originated after IT employees in the physics department didn’t install a critical security patch for their virtual private network (VPN). But there’s a bit more to the story. The physics department's IT team didn’t want to take all of the blame, as they said they had struggled with insufficient resources and inadequate guidance from central IT. At any rate, the good news is the institution did what we’d normally recommend and refused to pay the ransom. Instead, they consolidated their IT operations, added multifactor authentication, secured their VPN services, and restricted user access.
University of Minnesota Data Breach (2021)
This massive data breach exposed the sensitive personal information of over 7 million people. Hackers found a treasure trove of data, including financial aid applications dating back to 1989, with Social Security numbers, dates of birth, and passport details. Making matters worse, the university failed to properly inform those affected in a timely manner. A flurry of lawsuits followed, and as is often the case, the cost of properly protecting their data would have been minuscule compared to the costs associated with failing to do so.
Cost-Effective Cybersecurity for Higher Education
Managed IT isn’t the right solution for every organization! However, higher education organizations that wish to maintain their own in-house team can still outsource some of the tough stuff — including cybersecurity — to a trusted third party.
That way, they can retain all of the benefits of having an in-house, on-premises team that understands unique department needs but without the skill gaps, time challenges, and resource constraints that make it very difficult to keep up with rapidly evolving threats. As an added bonus, colleges and universities can relieve some of the stress that keeps their internal IT teams up at night.
However, if you’d just like a quick gut-check on whether or not your organization is currently following best practices and where you might be falling short, I can give you that right now — free of charge.
Click the link below to use our interactive cybersecurity tool!
