Why academic institutions remain especially vulnerable to cyberattacks

Leadership and diversity trainer Glenn Singleton addresses University of Texas at Austin students and community leaders at the Dolph Briscoe Center for American History at UT.
Singleton is the creator of Courageous Conversation, a thought-provoking training protocol for interracial dialogue, and works to establish racial equality worldwide.
Imge – LBJ Library – Public Domain (CC0 1.0)

Academia remains a target for cyber-related incidences as cyber events in 2023 demonstrated, such as such as the University of Minnesota data breach. In this incident, a hacker on a dark web forum claimed to have access to 7 million Social Security numbers. Have highlighted  how ill-equipped many universities are against the threat of cybercrime.

This concern is backed up by a survey of US college and higher education email domains that revealed less than one in ten institutions have implemented basic phishing and spoofing protection.

The research was undertaken by the email security provider EasyDMARC and it reviewed the security policies of .edu email domains in relation to the U.S. These email domains are assigned to 1,930 US colleges and further education institutions.

EasyDMARC’s research found that only 152 (7.8 percent)  of US .edu domains have correctly implemented and configured security policies to flag, report, and remove outbound phishing emails. This is a very low figure and demonstrates the extent to the vulnerability faced by schools and colleges.

To gather representative data, the survey reviewed the deployment of the Domain-based Message Authentication, Reporting and Conformance (DMARC) standard among U.S. .edu domains.

First published in 2012, the DMARC standard enables the automatic flagging and removal of receiving emails which are impersonating senders’ domains, which is a crucial way to prevent outbound phishing and spoofing attempts.

The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing email, email scams and other cyber threat activities.

EasyDMARC’s research found that only 58 percent of U.S .edu domains had implemented the decade-old DMARC standard. The research also revealed an under-utilization of DMARC’s capabilities where it is deployed.

Even among the US .edu domains that had implemented DMARC, most are failing to use the tools effectively. For example, 76 percent of domains have their DMARC policies set to only monitor outgoing emails impersonating legitimate domains. A further 17 percent go slightly further in sending impersonating emails into quarantine, meaning 93 percent of even DMARC-using domains leave users vulnerable to still receiving phishing emails.

This creates a substantial risk or ransomware attacks, fraud, and  data breaches.