COMMENTARY: As the 2025 academic year begins, universities find themselves at the epicenter of a new identity crisis.What was once a seasonal surge in phishing emails targeting incoming students has evolved into a complex, multi-layered threat landscape. Cybercriminals are now deploying industrialized attack methods — leveraging AI-driven phishing campaigns, automated credential-stuffing bots, and large-scale account takeover (ATO) operations — to exploit the identity sprawl unique to higher education. [SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Universities are attractive targets due to their open networks, high turnover of users, and decentralized digital ecosystems. Today’s attackers exploit these realities in increasingly sophisticated ways:Against this backdrop, Identity and Access Management (IAM) is the foundation of institutional security and trust. IAM enables universities to verify identities, control entitlements, and monitor behavior across vast ecosystems of learning platforms, cloud services, and research systems. At the next level, Identity Governance and Administration (IGA) introduces the automation and policy controls necessary to handle the sector’s defining challenges: high-volume joiners, movers, and leavers. Real-time governance ensures access rights are continuously aligned with academic enrollment, faculty appointments, and research project lifecycles — closing the door on abandoned or excessive privileges.
Consider one institution currently managing over 1.5 million identities across multiple authoritative systems. By implementing an advanced IGA platform, the university eliminated duplicate accounts, streamlined provisioning, and decommissioned legacy manual processes. The results have been immediate, including reduced time-to-access for new students and faculty, decline in orphaned accounts, closing common attack vectors, and strengthened defenses against credential-based ATO attempts. In 2025 and beyond, the resilience of higher education will depend on continuous improvement in identity hygiene, adaptive governance, and zero-trust access models. Universities must embrace machine learning — driven identity analytics to detect anomalies, automate lifecycle management to eliminate human error, and integrate bot mitigation to defend against industrialized credential abuse.
Universities are attractive targets due to their open networks, high turnover of users, and decentralized digital ecosystems. Today’s attackers exploit these realities in increasingly sophisticated ways:
- Account takeover (ATO): Credential reuse and weak authentication practices remain common among students. Attackers are weaponizing leaked credentials from third-party breaches to compromise university accounts, leading to unauthorized access to financial aid systems, research IP, and even critical infrastructure.
- Malicious bots: Automated bots are now probing university systems at scale — testing millions of stolen username-password combinations per hour. Alongside attempting brute-force logins, these bots also harvest public directories, scrape personal data, and amplify phishing payloads across campus networks.
- MFA fatigue and social engineering: Adversaries increasingly bypass multi-factor authentication by exploiting human behavior — bombarding students and staff with push notifications until access is unwittingly granted.
- Shadow identities and ghost accounts: Forgotten alumni accounts, orphaned research logins, and under-managed contractor access create persistent backdoors. These accounts often linger in directories for years, becoming low-hanging fruit for attackers.
Consider one institution currently managing over 1.5 million identities across multiple authoritative systems. By implementing an advanced IGA platform, the university eliminated duplicate accounts, streamlined provisioning, and decommissioned legacy manual processes. The results have been immediate, including reduced time-to-access for new students and faculty, decline in orphaned accounts, closing common attack vectors, and strengthened defenses against credential-based ATO attempts. In 2025 and beyond, the resilience of higher education will depend on continuous improvement in identity hygiene, adaptive governance, and zero-trust access models. Universities must embrace machine learning — driven identity analytics to detect anomalies, automate lifecycle management to eliminate human error, and integrate bot mitigation to defend against industrialized credential abuse.
