Higher Education: Lessons In Cybersecurity

Universities offer rich pickings for cyber criminals; they have access to research and intellectual property, as well as close ties to partner organisations (both commercial and non-commercial), that can provide a vital link to otherwise highly protected intellectual property.

This risk factor is compounded with the complex nature of information sharing in the higher education sector.  

The user population at universities is large and varied, including students, distance learners, lecturers, and partner institutions, with a proportion of these people having multiple roles (teacher and student for example).  In addition, there is a high annual turnover of user accounts due to students enrolling, leaving, taking on new academic roles, etc -making managing system access a challenging task.

The net result of this elaborate network is a large potential attack surface.  Combine that with the potential rewards for successful hackers, and it’s not hard to see why universities rank highly on the cyberattack hit list.

Daily Cyberattacks, With Research A Key Prize

This theory is backed up by research undertaken by Turnkey, 88% of people surveyed believed their higher education organisation was subject to a cyberattack at least once a day, while 91% said they were targeted as much as or more than the commercial sector.  

44% of respondents believed research was the biggest target for cyber criminals, compared to 32% saying it was financial information.

Reputation, Funds & Compliance Are At Risk

Reputational damage is seen to be the number one impact of a data breach (followed by loss of data, financial loss and non-compliance).  This is a big consideration for universities as it can impact student numbers and funding in the future. Interestingly however, 44% of respondents felt their organisation would feel a limited financial impact after a breach. This seems low, particularly in view of it going hand-in-hand with reputational damage. 

Equally, when it comes to longer-term impacts, the gravity of data loss and non-compliance should not be overlooked; academia is subject to the same data protection regulation as the commercial world – and that can mean significant fines.

Cyber Protection Is Low

Worryingly, however, despite the risks, threats and potential implications identified, 47% of people surveyed felt their organisation had only average or limited cyber resilience. 53% said they had average or weaker than average protection against impersonation attacks (when an attempt is made to gain unauthorised access to data, applications or systems by pretending to be an authorised user); this is significant in view of the type of information universities publish compared to a lot of corporates – it’s easy for bad actors to find the names of real people at the organisation and use them to gain unauthorised (but seemingly legitimate) access for example.

In terms of the risks, 53% of respondents said ransomware was the biggest cyber risk to their organisation, 24% stated phishing and 12% named spear phishing.

Remote Working Compounds The Threat

The pandemic and subsequent lockdowns proved it was possible to work and study remotely, and the current hybrid operations model that has evolved is potentially bad news for cybersecurity safety. 44% of people surveyed felt there had been a rise in access-related incidents since distance learning was introduced. (35% felt there wasn’t, 21% weren’t sure.)

Cyber Resilience Is Critical

These findings, echoed by various headlines and reports on cyberattacks at educational institutions, highlight the need for a risk-based approach to cybersecurity. If they aren’t already, universities should be adopting a systematic process that identifies, assesses, and prioritises the risks they face on an organisational basis – with this also addressing risks introduced by interfaces with partner enterprises. From there the appropriate mitigation strategies can be put in place, with these including the fast detection of an intrusion, and the ability to shut it down as quickly as possible to limit the scope of the attack. 

Other initiatives include Identity and Access Management (IAM); limiting the access that people have to the information and applications they need to do their job minimises the damage that a bad actor infiltrating the system can do. Given the often-transient nature of the sector, the Joiners and Leavers process is also a core element, allowing as it does permissions to be managed as people join, leave, and move round the organisation.

Multi Factor Authentication (MFA) is another tool that is increasingly being used to prevent impersonation, while focusing on basics such as ensuring a proactive patch strategy is in place and operational should be a given.

Regular reporting to management teams ensures visibility and means they know and understand the risks (as well as the work that is done daily to prevent and mitigate attacks); this is also a lever when applying for budgets to fund cyber resilience initiatives. 

There is no silver bullet, but with higher education organisations firmly in the sights of unscrupulous operators, cyber resilience needs to be a core element of the IT security curriculum. 

Chris Boyle is Practice Director – Identity & Access Management at Turnkey Consulting

You Might Also Read:

Who Was Responsible For Hacking Both IBM & Stanford University?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Effective Enterprise Vulnerability Management & Compliance
Breach Will Cost Capita At Least £20m »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Digital Forensics Inc (DFI)

Digital Forensics Inc (DFI)

Digital Forensics Inc. is a nationally recognized High Technology Forensic Investigations and Information System Security firm

CERT Polska

CERT Polska

CERT Polska is the first Polish computer emergency response team and operates within the structures of NASK (Research and Academic Computer Network) research institute.

EverC

EverC

EverC (formerly EverCompliant) is a leading provider of cyber intelligence that allows acquiring banks and payment service providers (PSP) to manage cyber risk.

Maritime Cyber Alliance

Maritime Cyber Alliance

Maritime Cyber Alliance was established in 2017 by Airbus , CSOAlliance , MCSA & Wididi to provide a medium for both public Cyber Safety advice and for businesses to discuss Cyber concerns.

Clym

Clym

Clym is the data privacy platform that helps organisations meet their data protection obligations. Cookies, Consent, Requests, Policies and more are all managed in a secure and adaptive application.

Mphasis

Mphasis

Mphasis is a leading applied technology services company applying next-generation technology to help enterprises transform businesses globally.

Absa Cybersecurity Academy

Absa Cybersecurity Academy

Absa Cybersecurity Academy is an initiative aimed at empowering marginalised South African youths to become certified cybersecurity specialists.

Internet Crime Complaint Center (IC3)

Internet Crime Complaint Center (IC3)

The Internet Crime Complaint Center provide the public with a reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity.

Huntington Ingalls Industries (HII)

Huntington Ingalls Industries (HII)

Huntington Ingalls Industries is America’s largest military shipbuilding company and a provider of professional services to partners in government and industry.

GTT Communications

GTT Communications

GTT are a global network provider that serves thousands of multinational and national enterprise, government and carrier customers with a portfolio of advanced connectivity and security services.

Quatrro Business Support Services (QBSS)

Quatrro Business Support Services (QBSS)

QBSS is a tech-enabled outsourcing firm that’s changing the way companies think about finance, accounting, human resources and technology services.

HADESS

HADESS

We are "Hadess", a group of cyber security experts and white hat hackers.

National Information and Cybersecurity Council (NICC)

National Information and Cybersecurity Council (NICC)

National Information and Cybersecurity Council is a leading collaborative effort between Government of India and Industry to raise Cybersecurity awareness nationally.

Sayers

Sayers

Sayers is best known for its ability to solve business challenges with IT solutions. Our areas of expertise include cloud, storage, virtualization, security, mobility and networking.

DataProof Communications

DataProof Communications

DataProof Communications is Cybersecurity Company specialising in cybersecurity operations, incident management and response best practices and technologies.

Reco AI

Reco AI

Reco is an identity-centric SaaS security solution that empowers organizations with full visibility into every app, identity, and their actions to control risk in their SaaS ecosystem.