Young Indian lady on a video call on her laptop.

What are the most significant cybersecurity risks faced by higher education institutions?

The extent to which the Covid-19 pandemic has affected our lives is no secret. In the higher education sector, the pandemic fuelled a shift to remote working – both from a teaching and a research perspective – while also leading to other challenges like a significant drop in international students.

Institutions adopted technology quickly, but at what cost?

Universities, and indeed all educational institutions, deserve credit for the speed at which they adopted technology and changed how they worked during the early stages of the pandemic. However, as was the case with businesses and local authorities, a swift pivot towards remote learning and working saw cybersecurity concerns somewhat placed on the backburner.

As such, universities and other education providers now face greater exposure to cybersecurity threats than ever before and questions about whether they’re set up to properly deal with them. With students now back at university and the academic year in full flow, institutions must be aware of the threats and be prepared to minimise risk.

Why are universities an attractive target for hackers?

There are several reasons, including:

  • Universities often undertake research of significance, and the data they hold resulting from this work can be hugely valuable
  • Sensitive data held about staff and students
  • The opportunity to cause disruption to remote learning via ransomware and other types of cyberattack

Because universities generally have a level of autonomy and independent governance way beyond that of even private sector businesses, the data they hold can be highly attractive.

The devastating impact a ransomware attack can have on a university was seen only too well earlier this year when the University of Hertfordshire was hit. While not disclosing the affected institutions, the National Cyber Security Centre said that similar ransomware attacks had seen a broad range of data stolen, including:

  • Student coursework
  • Financial records
  • Covid-19 testing data

Cybercriminals stealing financial records and data is to be expected. However, that they’d also target coursework and health data shows the scale of the challenge facing universities. None of their information is safe, so they must act accordingly.

What are the most significant cybersecurity challenges for universities to address?

The biggest challenge is undoubtedly the continued distributed nature of universities’ work. While everything done online previously happened using an institution’s (presumably) secure network, the prospect of professors and students potentially accessing portals and submitting data over insecure connections means cybersecurity risks automatically increase.

Even with anti-virus software and things like multi-factor authentication (MFA) in place, they are effectively a sitting duck for cybercriminals if networks remain insecure.

What do hackers want to achieve by targeting universities?

The motivation and thinking behind different cyberattacks and data breaches can vary.

An individual or team of cyber criminals might want to hack a university to:

  • Steal information
  • Access data they could sell to a business or anyone looking to bypass costly and time-consuming research and development procedures
  • Conduct espionage on universities or individuals
  • Spread false information about educational institutions or people

How do cybercriminals target universities?

The most common method is to steal login credentials of those in senior leadership positions at universities. Such individuals will have the broadest range of access to systems and data, so it makes sense for cybercriminals to target those that give them the potential to cause maximum disruption.

What should universities be doing to keep themselves safe?

There are several things universities and other educational institutions can do to minimise their chances of falling victim to a successful cyberattack.

A good starting point for any university is to adopt a Zero Trust framework, which introduces various levels of MFA. Providing additional layers of security in this way adds barriers for cybercriminals looking to access data and gives security systems more chances to stop them if they manage to break through some of the measures in place.

Systems access and privilege management is also a critical function for higher education providers. As a minimum, universities should look to:

  • Have a “principle of least privilege,” meaning users have access only to the data they need to fulfil their role
  • Have a systems access auditing procedure to ensure the above is maintained
  • Ensure at least those with access to highly valuable information and data – but ideally everyone – is notified to regularly update passwords
  • Make MFA mandatory

On top of all this, universities’ security teams must remain vigilant and have plans in place to deal with data breaches when they happen. Unfortunately, data breaches are inevitable, even with the best possible security processes in place.

How can you protect yourself from data theft if you’re a student?

As a student, all you can do is control the way your own behaviours impact your risk of falling victim to cybercrime.

Protect yourself and your university by:

  • Reporting any unusual activity such as suspicious-looking emails that come through to your university email address
  • Using MFA, where available, for any systems you access as part of your course
  • Ensuring you’re using secure wi-fi networks when not working on campus
  • Using strong passwords for your email account and other platforms that you access
  • Signing out of systems when you’re finished using them

If your university puts your data at risk, you could be entitled to compensation

If your university has fallen victim to a data breach, and your privacy has been compromised as a result, you could be entitled to compensation.

Contact LawPlus now for a FREE, no-obligation assessment of your potential claim.