This week the National Cyber Security Centre issued its latest alert warning of the threat to disruptive attacks aimed at the education sector, following a spate of attacks on schools, colleges, and universities.
Earlier in the summer, and amid the Covid-19 lockdown and subsequent disruption, dozens of UK universities reported data breaches to the Information Commissioner’s Office after a US-based supplier of alumni database software suffered a cyber-attack.
Non-profit organisations, including those in arts and culture, education and health providers and charities, are often highly networked in their communities and hold large amounts of sensitive personal and often commercially valuable data. They are also, frequently, the organisations that are less likely to have strong cybersecurity protections in place which makes them vulnerable. For universities, personal data breaches can potentially affect their reputation and valuable relationships with former students.
Cyber villainy
The education sector tends to be seen as an increasingly attractive target for cyber criminals. Year on year, reported breaches in schools, colleges and universities have not only increased in number, but also in scale and sophistication. In 2019 alone, the total number of breaches against the sector was higher than in 2018 and 2017 together. This growth in attacks is set to continue as education accelerates its digital offerings and transforms its remote learning and working offerings as a result of the pandemic.
Cyber attacks are frequently in the form of Remote Access Trojans (RAT), downloaded unknowingly as an attachment to an email or via software accessed through the internet, such as a game. Once installed on your computer, RATs can give backdoor administrative access to your device, allowing access to your data and spreading itself across your network. In some cases, ransomware locks you out of your device, and requires you pay a charge to access an encryption key.
Also common are social engineering techniques, such as adware, which is malware that displays unwanted advertising on your computer, or phishing, in which individuals are duped into sharing sensitive data or even transferring funds. Phishing emails can be commoditised and sent in large numbers almost randomly, as well as extremely targeted towards particular people or roles.
With the advent of cloud computing, where data is stored on remote servers rather than on personal devices, it’s increasingly less about protecting your device than it is about protecting whole networks.
They’re coming for your data
The education sector is particularly attractive to criminals (and often nation states), because of the vast amount of valuable data held – think student and staff information, supplier information, alumni databases, and highly valuable research data. And yet, our work with the sector, including a cyber benchmarking study, suggests that universities are frequently inadequately prepared to protect themselves from a cyber attack.
Universities often work on legacy systems supported by teams that are not equipped to deal with the increasingly sophisticated attacks. Security talent is difficult to attract and retain due to highly competitive rates in the private sector, and cyber security teams within the sector most commonly consist of between one to five individuals.
Investment in cyber security is often linked to or dependent on winning new research contracts and projects, for example, research grants that require minimum cyber security certifications, such as Cyber Essentials, or alignment to international security standards, such as ISO 27001. This often leads to cyber security initiatives and technology being prioritised in small, localised areas within a university, rather than the institution as a whole.
One of the consequences is that cyber security teams can lack overall authority in their institutions, with departments purchasing systems without security oversight, potentially creating vulnerabilities. One participant in our cyber benchmarking study told us, “We struggle to keep on top of suppliers…we get involved in the process when we get invited in.” Another said, “In practice, no one is interested until something has gone wrong. IT has no remit or authority to check business processes for security compliance.”
Sadly, education providers are especially vulnerable because of the number and variety of individuals accessing their systems. University staff and students want a single sign on to access the university’s “digital campus”, and – especially during the Covid-19 pandemic – they need to be able to gain access remotely and from their own device, which is highly likely to be less secure than a university-managed device and adds to the already heightened risk.
What was once a closed, sealed system, now has multiple entry points, with multiple apps and collaboration platforms interconnected, and all powered by the cloud. Cyber security teams may struggle to control and manage access rights, with one respondent to our cyber benchmarking study telling us, “You could have studied at the university, come back as a member of staff and have both your access rights combined under your identity.” And ultimately a cyber security system is only as good as its weakest point, which may be the laxest user of the network.
Defence is the best form of attack
Covid-19 has added another layer to all these existing vulnerabilities. Criminals have sought to take advantage of the pandemic and the exponential increase in remote working.
Yet, it is the essential nature of universities to be networked – to enable and support student and staff engagement, and to connect with communities locally and internationally. This trend will only intensify as universities adapt further to learning and research during the current situation and its aftermath and, undertake more rapid and large-scale digital transformation.
This means that universities must seize this opportunity to develop strong foundations for a strategic approach to cybersecurity, grounded in an assessment of digital threat and assets, it’s people’s awareness and capabilities, the processes that are used across the whole organisation, and the technologies that can support effective practice.
Cyber maturity assessments can help to analyse the conditions and create a road map to increased cyber maturity – on the understanding that there can be no end-point and that cyber security must evolve to keep up with the evolution and sophistication of attacks.
Once a strategy is established, the next phase is detection – conducting penetration tests, or appointing a “red team” to mount a cyber-attack to expose vulnerabilities. This hands-on approach allows cyber security teams to test defences under realistic conditions and identify weaknesses that may not previously have been obvious. They also help to inform business continuity planning in the event of a serious cyber-attack and develop incident response plans to manage recovery and mitigation should one be successful.
It’s also helpful to conduct regular threat assessments or implement threat monitoring. Understanding the evolving landscape can help educational institutions make the most of their security budgets by providing insights and information to help focus investments in the right business areas or security controls.
Even the most mature organisations are having to rethink their cyber security approach for a new landscape of remote work and study during the pandemic. Testing will need to be done remotely, business continuity plans updated, and threat monitoring enhanced to take account of new vulnerabilities and tactics.
Gaining certifications such as Cyber Essentials, Cyber Essentials+ and ISO27001 can help to provide assurance that universities have adequate and effective policies, processes and security controls in place. They can also help to establish frameworks and guidelines to keep security up to date, but they cannot be relied upon in themselves to make an organisation secure.
This article is published in association with KPMG.
I’m disappointed in WonkHE for this article as raising the profile in this way looks to be more about revenue from KPMG and having an article rather than supporting universities. Cyber is on the mind of every senior HE team that I know, but the last thing that any would want is to run screaming around the internet shouting about being an easy target! The only people who would do that would be consultants with cyber services to sell. The sector has access to great cyber expertise through Jisc, so perhaps go there instead!
KPMG should disclose its role – and whether consent was acquired to publicly promote any work in this field or quote study participants verbatim.