This spring, a batch of tests were sent to 100 Clemson University faculty and staff emails in an attempt to access private and personal information.
A fourth of the emails were blocked by the security system and several additional recipients alerted the university to the phishing attempt. But more than a dozen users provided their credentials in response to the email and malware was installed on six of the university’s computers.
For Hal Stone, Clemson’s chief information security officer, the results were an improvement from the past, but not good enough. Even one compromised user could be a problem, Stone said. If a person with access to important data is hacked, it could cause a disruption of business and classes at the university.
Clemson has to protect data for more than 30,000 people each day. The university has around 5,400 employees and nearly 25,000 students work or attend school there, according to the university’s 2018 fact book.
Universities, like so many other businesses, are spending millions to fend off hacking attempts each year. They have access to a range of personal information about their faculty and students, said Rich Burke, the vice president of business development for the security consulting firm Delta Risk and a senior fellow at George Washington University’s Center for Cyber & Homeland Security.
And research universities, such as Clemson, also store information about projects that involve the government. For example, since the 1980s, Clemson has handled data security for the South Carolina Department of Health and Human Services’s Medicaid program, Stone said.
That type of work presents a “pretty attractive target” for hackers, Burke said.
Clemson began contracting with the firm Protiviti in 2014 for auditing services and had the company conduct a cybersecurity audit for the first time in 2016, Stone said. Each audit costs approximately $44,000, according to Protiviti’s contract with the university.
For the 2016 test, Stone said the results amounted to a C- performance. The test this Spring was a “solid B+” for protecting the university from cybersecurity attacks.
The Greenville News and Anderson Independent Mail requested a copy of the complete audit, but the university said it was not a public record given the sensitive nature of the information.
“Every individual has the responsibility to maintain security for the entire institution,” he said. “One individual could allow a crack in the defenses. Bad actors are looking for any way to get inside.”
Earlier this year, two national incidents highlighted the need for data security at universities.
Research published in March from iDefense, a unit of Accenture Security, found that 27 universities had been targeted by Chinese hackers looking for maritime intelligence, the Wall Street Journal reported.
A few days later, unrelated hackers accessed admissions information for applicants to three private colleges, Oberlin College, Grinnell College and Hamilton College, and tried to sell the data back to students.
During the spring 2019 academic semester, Clemson alerted students to a number of incidents. In one case, students were sent emails that offered a job opportunity. Another involved emails which appeared to be from Amazon and prompted them to enter personal information.
“All of that information would be captured and most likely exploited by the cyber criminals,” the university warned students in an alert.
Typically these attacks are not targeted only to Clemson, Stone said. When his office identifies a phishing attempt, he often learns from his peers at other institutions that they have encountered something similar.
According to the 2015 to 2016 annual report for Clemson Computing and Information Technology, the university’s anti-virus malware service blocked an estimated 42,350 potentially dangerous URLs every month.
Providing protection against cyberattacks is a moving target. Stone, who has worked at Clemson since 1997, said the landscape is “fluid” with technologies changing quickly. Burke said the attackers also tend to be highly sophisticated.
“Universities try to instill and create open environments,” Burke said.
This balance between being open but needing to maintain security can present a challenge.
The university’s battle with cyberattacks emerged around 2005, Stone said, starting with malware and computer viruses.
So in 2006, the university founded its Office of Information Security and Privacy, Stone said. The University of South Carolina similarly has a University Information Security Office.
The Office of Information Security and Privacy’s budget had grown in recent years, from $588,157 in fiscal year 2017 to just under $2 million in 2019, not including capital expenditures, Clemson’s associate vice president of strategic communications, Joe Galbraith, said.
Tempy Wright, vice president of marketing with Delta Risk, the security consulting firm, said universities have generally been slow to catch on to such risks.
“It’s amazing how little companies and universities are doing with data,” she said. “Some people give up and assume their data is already stolen.”
She said universities are where healthcare institutions were a few years ago, just starting to recognize the importance of protecting data.
Burke said an important step is for universities to work proactively — blocking and tackling, he said — to prevent breaches.
“You can make technology do whatever you want it to do,” Stone said. “The people are the ones that aren’t so easy to deal with. You can’t just turn a knob and make people security-aware.”
In 2018, Clemson began mandating annual security training for its employees. A second round of training is scheduled for this October, Stone said.
One challenge that public universities face is finding the resources to hire the best talent to protect them, Burke said.
According to the Bureau of Labor Statistics, the median pay for an information security analyst in 2018 was $98,350 a year, and the projected percent change in jobs in the field is 28% between 2016 and 2026 compared to 7% for all occupations. According to the South Carolina Department of Administration’s database, salaries in Clemson’s data security office range from $70,000 to Stone’s salary at $162,000.
Stone said the university has made “great strides” in retaining and funding talent.
Stone, whose team includes 15 employees, said Clemson’s rural location can also be an obstacle. Greenville has a wealth of tech talent, but not everyone is willing to commute 45 minutes to the university, he said.
Clemson is also relocating two of its professors, Harlan Russell and Kelly Caine to the Charleston area for a year to expand cybersecurity courses and opportunities for graduate students at the university’s center there.
Stone said his hope is to receive an audit without data breaches, but he said that may be unrealistic with the challenges of constantly training new employees.
“If we kept the percentage of users who fell for the test under 5 percent, I would be ecstatic,” Stone said.