Reducing the risk: password management in higher education

Higher Education institutions have always been front and centre of digital security threats

The mix of digital savvy young adults finding themselves amidst a technologically-advanced environment, plus other actors who have reason to access or disrupt research or teaching, makes them targets from a wide range of internal and external attacks.

With the increasing growth of remote and hybrid teaching since 2020, the number of access points, applications and accounts, and networks that could enable malicious activity has multiplied. In 2020 alone, education was ranked in the top five industries to experience significant breaches, according to the Verizon 2020 Data Breach Incident Report, with 819 incidents and 228 confirmed total breaches in the US alone; 80% of confirmed data breaches were as a result of weak, default or stolen passwords.

Knowing what’s best doesn’t always mean doing what’s best

Awareness of good security practices has certainly grown as a generation of digitally-native young people have grown up with internet filters and being made aware of the risks of their online presence. However, there is, to a certain degree, cognitive dissonance among those who are aware of good cybersecurity practices and knowing what they should be doing versus putting those into action consistently. Humans are very good at falling back on patterns and focusing on the task in hand, leaving to one side seemingly superfluous activity, such as detailed cybersecurity precautions.

Research by Identity and Access Management solutions provider, LastPass by LogMeIn, has shown that 91% of people say they know using the same or a variation of the same password is a risk; however, 66% of people always or mostly use the same password or a variation on it when asked to enter a new password. Likewise, 77% of people say they are informed of password protection best practices, and, yet, 48% said, if it’s not required, they never change their password. When the average person has to remember 191 passwords, it’s perhaps not surprising that patterns of behaviour for creating and managing them arise.

Why is the risk higher in education?

The volume of people and the number of staff and student changes is particular to higher education institutions, with cohorts of students changing annually, often staggered between undergraduate and postgraduate degrees, split between part- and full-time courses, and, sometimes, resitting, deferring, interrupting or withdrawing. In fact, 34% of higher education IT professionals are challenged by keeping up with the volume of staff and student changes, meaning some user accounts may retain access to applications and data that they should no longer have.

Accounting for and protecting every entry point and device that accesses institutions’ data and applications stymies 32% of higher education IT professionals. With the growth of hybrid teaching, and further increases in BYOD, there will be a further explosion of devices accessing institutions’ networks, the same devices often being used for personal as well as academic use. Shared devices and broadband networks, and the number of people from outside of institutions with potential access to devices will also increase, as remote teaching continues – devices, perhaps, being left unlocked in domestic and other shared environments.

Even with device protections in place, the risk of credentials being stolen remains high as more than half the data compromised in breaches are credentials, resulting in 15 billion stolen logins circulating on the dark web.

So, what’s the solution?

For every problem, there’s a solution, and 93% of cyber incidents can be prevented with the right tools. Where available, multi-factor authentication (MFA) and single sign-on (SSO) both increase security and reduce the number of logins required. These can be supplemented with password management tools, such as LastPass by LogMeIn, which require users to memorise a single password and will then store, encrypt, and fill in different, securely-generated passwords for applications across devices. Enterprise-level versions enable administrators to easily add and remove access permissions on a group or individual level, making staff and student changes easier to manage.

To learn more about how to increase control and visibility with a simple password management solution that’s effortless to use, download the full Password Hygiene in Higher Education eBook

By downloading this ebook, you agree we will share your information with our partner Lastpass

Leave a Reply