Assessing the Cyber Risk of Collegiate Athletic Conferences
It is no secret that America's colleges and universities hold a wealth of personal and sensitive information that is frequently targeted by cybercriminals, as evidenced by some public data breaches in the past year affecting major universities. Today we at BitSight published our quarterly BitSight Insights report that analyzes the security performance of higher education insitutions in America. We conducted a thorough analysis of the largest and most prestigious collegiate athletic conferences in the nation: the ACC, SEC, Pac 12, Big 10, Big 12 and Ivy League. The member schools of these athletic conferences are large to medium sized universities that give a strong representative sample of the higher education industry in the United States, encompassing a student population of 2.25 million and a network space of more than 11 million IP addresses.
By analyzing the aggregate Security Ratings of each conference, we gained insight into the overall security performance of higher education institutions during the past year (July 2013 to June 2014). BitSight Security Ratings (data sheet) are calculated daily and range from 250 to 900, with higher ratings equating to better security performance. Using our unique outside-in view of internet security, our data reveals the education industry as a whole, and colleges in particular, fail to make the grade when it comes to securing their networks. Yet while many schools are lagging in overall security performance, there were a noteable number of colleges that are excelling at security performance. By using comparative data on industry averages and peer schools, these high performers can serve as a benchmark for other insitutions of higher education, enabling university security teams to better advocate for resources and budget to effectively tackle these potentially costly issues.
Below is a brief summary of our findings:
Colleges at the Bottom of the Draft. Colleges and universities are failing to adequately address security challenges, with the Security Ratings of athletic conferences averaging around 600. This is considerably below retail and healthcare, two other industries that have faced serious data breaches in the past year.
Blitzed by Malware. Higher education institutions experience high levels of malware infections, the most prevalent infection coming from the Flashback malware, which targets Apple computers. Other prominent malware include Adware and Conficker.
Homecoming Challenges. Overall security performance declines significantly during the academic school year (September to May). The conferences see an overall 30 point drop in Security Ratings. This is likely due to the influx of students and devices on campus networks.
Powerhouses have a Playbook. The schools included in our analysis with a Security Rating of 700 or above all have a dedicated CISO or Director of Information Security on staff. Such prioritization of information security is a key indicator of better security performance.