This article was originally published in Iowa Capital Dispatch.
Des Moines Area Community College is a harder target for cyberattacks and scams than it used to be, President Rob Denson said, but it takes constant effort and vigilance to stay that way.
He and his staff will receive fake attachments, fraudulent messages from people claiming to be coworkers and applicants with intentions of taking financial aid and running rather than attending classes almost every day, despite best efforts to head them off.
“Threat actors are always looking for you to let down your guard,” he said.
Get stories like these delivered straight to your inbox. Sign up for The 74 Newsletter
In efforts to keep campus safe, some Iowa community colleges are having to put increasingly more time, manpower and money toward cybersecurity efforts.
Aaron Warner, CEO of cybersecurity company ProCircular, said community colleges are targets for bad actors because they house a lot of sensitive information, their student populations see continuous turnover, and they’re made to be as accessible as possible.
The often-chaotic time just before school starts is also utilized by cybercriminals, as faculty and staff are busier and less likely to catch suspicious emails or other activities.
“It’s an unfortunate byproduct of the fact that they’re a community organization,” Warner said. “They are designed to interact as best as possible with the community. Bad guys take advantage of that.”
When the COVID-19 pandemic forced employees to work from home, Warner said the opportunities to conduct cyberattacks expanded. Gone was the castle-and-moat style of keeping sensitive information on one secure network as data was transferred onto home computers and laptops. The risk of a successful cyberattack or intrusion didn’t so much rise as become more distributed, he said.
DMACC and Iowa Central Community College have already faced in real time what ProCircular simulates for training — a breach in cybersecurity. Iowa Central Community College was hacked in 2018, and DMACC saw a breach in 2021.
Both colleges amped up security efforts in response, which they still keep up today.
Colleges work to stop ‘ghost student’ scam
One problem DMACC has worked to curb is “ghost students,” or applicants who use fake or stolen identities to seek financial aid. Denson said the college started seeing more fraudulent applications around two years ago, coming in groups from certain areas in different states and filing for loans without any intent of actually attending classes.
For around a year, DMACC staff have been calling every applicant to confirm their identity before putting their information into the system, Denson said. While this practice has cut down on ghost student applications, it’s not the easiest task to undertake.
In fall 2022, DMACC admitted more than 1,600 full-time, first-time students. Admissions staff and recruiters called each applicant and recorded the confirmation of their identity in the DMACC system — a time-consuming process, Denson said, as many students aren’t easy to reach over phone or email.
“It’s a terrible use of time, it’s not the best use of their skills, but it’s something we’ve got to do,” Denson said. “What we don’t want to do is get a fraudulent app inside of our learning management system.”
At its peak in late July 2022, Denson said the college was receiving around 15 fraudulent applications a day. Since implementing this practice, Denson said that number has decreased significantly, but one or two a day still pop up.
Denson said the amount of time and manpower needed to verify so many applicants pulls people away from their other work.
“We would rather have recruiters out recruiting and advisors talking to students about their career, rather than verifying somebody’s identity,” he said.
In order to lower the risk of a fake student infiltrating Iowa Central Community College’s systems, President Jesse Ulrich said staff purges all records of inactive students — those who applied but never signed up for classes or interacted with the college in any way — every semester.
Cybersecurity is costly
Staff and faculty at both community colleges receive training on how to spot and report phishing, and receive random test phishing emails. Iowa Central Community College has members of its IT team dedicated to servers and infrastructure, and DMACC has a cybersecurity expert on retainer.
Security software, training and insurance all require funds, Ulrich said, which could be used in other areas of the college.
“Anytime you are putting more resources into cybersecurity, whether that’s through people, software, paying more for insurance; all of those things pull from the general fund or other areas of our funds to be able to really meet the core purpose of community colleges,” Ulrich said.
Both colleges have cyber insurance; Denson said the college’s annual insurance cost is five times what it was, and the deductible has doubled.
Even divulging details on its cybersecurity insurance could put the college at risk, Ulrich said, as threat actors will look through public records to determine how well-insured schools are and use that in attacks.
“It’s kind of a lose-lose situation for higher ed when we’re put in that situation,” he said.
However, having these safeguards isn’t really a choice, Denson said — it’s a necessity, and one that isn’t going away soon.
According to SonicWall’s 2023 Cyber Threat Report, educational institutions were cyber criminal’s top targets for malware attacks. At the recent annual Community Colleges for Iowa conference, Ulrich said cybersecurity was among the top 10 challenges facing higher education today.
ProCircular works with more than just community colleges to evaluate cybersecurity efforts, but the leaders at colleges Warner has met are among the most understanding of the issues and how to tackle them, he said. Much of the company’s training involves ensuring people know what to look for, how to respond in the event of a breach and helping them allocate resources in the right areas.
U.S. Rep. Zach Nunn introduced legislation in April to help curb cyber attacks against K-12 schools by increasing available resources, expanding cyber attack prevention information sharing and improve national tracking of cyber attacks. While no bills targeting cybersecurity in higher education have been introduced, a spokesperson for Nunn’s office said they are working with as many entities as possible to help tighten cybersecurity across the board.
Community Colleges for Iowa Executive Director Emily Shields said there has been interest in the state Legislature in working to curb cybersecurity breaches in higher education, but many of the best practices suggested in discussions are already being practiced by community colleges.
When it comes to funding, Shields said colleges would rather see more dollars go into general funds than specific silos like cybersecurity, as it allows them to be more flexible in allocating resources.
The organization has worked to help keep colleges informed about cybersecurity threats and avenues to help fend off attacks, in the event one does occur, she said.
“The conversation always is not if this is going to happen in your college, it’s when,” Shields said. “Everybody’s anticipating. You will have cyberattacks, probably plural — it’s making sure you’re ready for that.”
Iowa Capital Dispatch is part of States Newsroom, a network of news bureaus supported by grants and a coalition of donors as a 501c(3) public charity. Iowa Capital Dispatch maintains editorial independence. Contact Editor Kathie Obradovich for questions: email@example.com. Follow Iowa Capital Dispatch on Facebook and Twitter.