Creating a learn-at-home experience in just a few weeks last year was an incredible achievement for universities. But this rapid shift created a problem: cyber-criminals have been gifted the perfect opportunity to target them.
The University of Northampton’s recent experience shows how much damage these attacks can cause: its IT services – including email and virtual-learning platforms – were knocked out for days. Two weeks later, the University of Hertfordshire was forced to cancel online teaching due to a similar breach, with student log-ins, email and video conferencing all affected. In the US, Brown University had to disconnect its data centre and shut down systems following a threat to its Windows operating system.
The headache faced by universities is that the things that help them collaborate and thrive, such as open, information-rich websites, ubiquitous connectivity and collaborative platforms for students and staff, also leave them vulnerable to cyber-attacks.
Many laptops and other devices were sourced and configured in a panic as lockdowns were suddenly instituted. Cloud services were rapidly scaled up and security had to come second to the sheer urgency of getting services up and running. Even as students return to campuses in some countries, including England this week, many of these platforms remain in place. So it’s no surprise the UK’s National Cyber Security Centre (NCSC) has warned that the cyber-vultures are circling higher education and are eager for a quick and easy meal.
They certainly have a smorgasbord of tasty dishes to choose from, including personal data, student data, research and intellectual property and payment data. Figures from the Information Commissioner’s Office (ICO) reveal that the education sector accounted for 12 per cent of all personal data breaches from July to September 2020 related to cyber-security breaches.
While the attack methods used are constantly evolving, the NCSC has confirmed that attackers frequently target organisations’ networks or use phishing email campaigns to deploy ransomware. Despite this warning, recent attacks suggest that universities are still inadequately prepared to protect themselves.
Ransomware attacks remain the dish of choice, with the hijacking of institutional systems causing systems to crash for days, even weeks. UK foreign secretary Dominic Raab told the Cyber UK conference last week that 80 British schools and universities were hit by ransomware attacks in March alone.
Universities know these events can be highly embarrassing and damaging to their reputations, whether they are stories of lost student coursework or stolen medical records. There is also the very real risk that if institutions refuse to capitulate to demands, cyber-criminals will make good on threats to release sensitive data to the public via “name and shame” websites on the dark web.
Aside from the usual threats, there is a growing fear that global, information-rich university systems could be used to fuel and facilitate so-called “hacktivism” – in which ideologically driven hackers target corporations, social media platforms or government agencies primarily to make a political point rather than make money. Universities hold a lot of sensitive information in areas such as science, engineering and medicine; there was even a cyber-attack on a University of Oxford University laboratory involved in Covid-19 research, raising concerns about the possibility of sabotage. This shows how unpredictable this trend has become, with hacktivists targeting a diverse range of institutions and corporations.
Universities are unlikely to able to prevent all attacks, particularly in an environment where they are increasing. But what cost-effective steps can be taken to mitigate such attacks? Training and education for staff and students are, of course, crucial, while institutions should also restrict access to sensitive data where possible. That should include removing redundant accounts and revoking access when a user leaves or changes roles.
Unfortunately, some attacks will get through, so universities should ensure that robust monitoring services are in place to identify and contain them quickly. Institutions must be prepared for the worst and have a well-rehearsed plan to enable rapid recovery, which must be revisited regularly to accommodate new systems and methods of attack.
Fast tech solutions – like fast food – served their purpose during the extreme uncertainty of the pandemic, but they are not sustainable. To secure the longevity of our institutions, it is time to plan a more substantial menu of defences.
Laura Marsden is a public services cyber-security expert at PA Consulting.