The much-anticipated AP preseason college football rankings were released recently. But how do the major athletic conferences rank against hackers?

When it comes to security, the Big 12 (which includes Baylor, Iowa State, Kansas, Oklahoma and Texas, among others) outperforms the Ivy League, according to a study released Thursday by the cybersecurity rating company BitSight. Colleges in those conferences and the SEC, Pac-12, Big 10 and ACC landed ratings “considerably below retail and health care, two other industries that have faced serious data breaches in the past year,” the report says.

BitSight’s security ratings range from a low of 250 to a high of 900. The schools, measured by malware infections, averaged a 600 rating. That shouldn’t be surprising: There have been 742 data breaches at educational institutions since 2005, totaling nearly 15 million compromised records. But unlike those at big-box retailers, they affect concentrated communities and tend to get less attention (the Target hack affected tens of millions of customers).

What to do if your Social Security number was stolen

Fewer headlines doesn’t mean fewer incidents. In July, the University of Illinois in Chicago notified former students that a security breach exposed personal data including the Social Security numbers on documents from the 2002 spring semester. One month earlier, Butler University in Indianapolis said hackers may have accessed birth dates, bank account numbers and Social Security numbers for more than 160,000 students, staff, alumni and prospective students who never even enrolled there. The University of Maryland revealed in March that hackers had accessed Social Security numbers, dates of birth and names for more than 300,000 students and employees.

“Some people would assume the Ivy Leagues are doing well. They still have to fight for budgets like everyone else,” Boyer says. “I know some top tier university [chief information security officers] who at many times are throwing up their hands because they don’t necessarily have centralized control.”

The schools that performed better on the ratings employ a chief information security officer or a director of information security, the report says.

Colleges face some cybersecurity challenges that corporations might not have. While a company can restrict employees’ online activities, at universities, thousands of users connect multiple devices to the same networks, and they can’t limit much of what they do. And that’s in a culture where file-sharing is common given that students and faculty collaborate on projects, sometimes circulating the same document to hundreds or even thousands of users on a shared network. During the school year — from September to May — the conferences’ security ratings dropped 30 points, an indicator that students are a big factor.

“You can study in epidemiology the spread of disease contagion,” Boyer says. “If you have a closer knit organization with very similar software and configurations, what works on one will work on many and a lot is spread much faster.”

This story has been updated.