Research reveals top universities at high risk for security breaches

Stefanie Botelho's picture
Friday, August 22, 2014

BitSight Technologies, the standard in Security Ratings, today released a new BitSight Insights report titled, “Powerhouses and Benchwarmers: Assessing Cyber Security Performance of Collegiate Athletic Conferences,” which uncovers quantifiable differences in security performance across collegiate athletic conferences from July 2013 through July 2014. The report reveals that as a sector, the nation’s top schools are at even greater risk for security breaches than retail and healthcare.

“From social security and credit card numbers to health records and intellectual property produced by research departments, colleges and universities house a vast amount of sensitive data. While not surprising given the unique challenges universities face securing open campus networks, it’s concerning to see that they are rating so far below other industries that we’ve seen plagued by recent security problems,” said Stephen Boyer, co-founder and CTO of BitSight. “But, there are schools that perform well above the aggregate ratings for other industries, and the fact that the highly rated schools that we looked at all employ a CISO or director of information security, demonstrates that a top-down commitment to security and risk is crucial. These schools should serve as an example for other colleges to benchmark their performance against.”

To help campuses address their security performance issues, BitSight is offering higher education institutions free access to the company’s Security Ratings product. As part of the new program, colleges and universities will receive their own individual Security Ratings score along with internal data including security event details and risk vectors. Armed with their own Security Ratings, users can compare themselves to the overall higher education sector with industry scores provided by BitSight, and see how they stack up. This intelligence can be leveraged by internal IT teams and also shared with boards to start conversations about security risk and performance. For more information or to register for the program, visit http://bitsig.ht/1oX0gIK.

The BitSight platform uses publically available data to rate the security performance of an organization on a daily basis. Observed security events and configurations, such as communication with a botnet, malware distribution, and email server configuration, are assessed for severity, frequency and duration and used to generate objective Security Ratings. BitSight Security Ratings range from 250 to 900, with higher ratings equating to higher security performance. Collegiate athletic conference ratings are calculated using a simple average of the Security Ratings of colleges and universities in each conference.

Key Findings

* Schools at the Bottom of the Draft - Colleges and universities are failing to adequately address security challenges, with the Security Ratings of athletic conferences averaging around 600. This is considerably below retail and healthcare, two other industries that have faced serious data breaches in the past year. To view a copy of BitSight’s recent industry benchmark report for S&P 500 companies, visit http://bitsig.ht/TxGRXy.

* Blitzed by Malware - Higher education institutions experience high levels of malware infections, the most prevalent infection coming from the Flashback malware, which targets Apple computers. Other prominent malware include Ad-ware and Conficker. 


* Homecoming Challenges
- Overall security performance declines significantly during the academic school year months of September to May. The conferences see an overall 30 point drop in Security Ratings. This is likely due to the influx of students and devices on campus networks. 


* Powerhouses have a Playbook - The schools included in our analysis with a Security Rating of 700 or above all have a dedicated CISO or Director of Information Security on staff. Such prioritization of information security is a key indicator of better security performance.

To download a full copy of the BitSight Insights report, visit http://bitsig.ht/1oX0Lm8.

About BitSight Technologies


BitSight Technologies is transforming how companies manage information security risk with objective, evidence-based security ratings. The company's Security Rating Platform continuously analyzes vast amounts of external data on security behaviors in order to help organizations make timely risk management decisions. Based in Cambridge, MA, BitSight is backed by Commonwealth Capital Ventures, Flybridge Capital Partners, Globespan Capital Partners, and Menlo Ventures. For more information, please visit www.bitsighttech.com or follow @BitSight on Twitter.