As digital environments become increasingly embedded in higher education institutions they become more susceptible to cyber-attacks. With elements such as open networks, large volumes of data and increasing endpoints, how can university CISOs keep cyber threats at bay?
Universities are key players in the battle against cyber-attacks as they both carry out research that advances cybersecurity while also training the next generation of cyber-defence specialists.
They can, however, fall victim themselves to hackers who may, for example, be interested in getting their hands on the sensitive data they store.
It is an issue of particular importance in UAE given the huge expansion of the university sector in the Emirates over the past two decades.
Like some other GCC nations, the country has seen the growth of its own higher education institutions as well as the launch of campuses linked to overseas universities, such as the University of Birmingham Dubai and New York University Abu Dhabi.
Morten Illum, vice president, EMEA, Aruba, a Hewlett-Packard company, highlights several reasons why advances in technology have created new vulnerabilities.
According to Ilum, while mobile connectivity, the cloud and IoT (which may be represented at universities by everything from security cameras to smart laboratory equipment) have brought benefits, they have also “provided hackers with a plethora of opportunities” to exploit gaps in cyber defences.
The explosion of IoT devices has left organisations of all kinds vulnerable to infected devices, says Illum, adding that this is particularly true of universities, which rely heavily on bring-your-own-device (BYOD) environments.
“Educational institutions typically have vast campuses and user bases, a large variety of devices trying to connect to their networks at any given time, and a huge amount of data passing through their systems, all of which presents a very real security risk,” he says.
“In addition, younger generations (i.e. students) tend to be early adopters of new technologies, which means that their odds of being exposed to scams and other social engineering attacks is significantly increased.
“It is also not just their own members that universities need to worry about. By their nature, universities are intended to enable frequent international collaboration and will regularly host global visitors, all of whom want to connect to the network. This only increases the risk of having the network exploited.”
In a briefing document published last year, Craig Badrick, the CEO of Turnkey Technologies, a United States-based networking and cybersecurity company, reported that more than half of students take at least two internet-connected devices to the university campus. More than a fifth bring three or four.
University networks are large and complex, and are being used 24 hours a day, seven days a week, another factor that makes them vulnerable to attack.
Cybersecurity breaches may be especially harmful because universities hold large amounts of information that others may want to get hold of.
Universities produce knowledge, some of which could be of great monetary value, evidenced by the fact that many successful companies have been spun out of higher education institutions.
Illum says that companies or governments looking to gain a competitive advantage would be keen to get hold of this data.
Dr Shamal Faily, a principal lecturer in systems security engineering and coordinator of the cybersecurity research group at Bournemouth University in the United Kingdom, says that it is easy to overlook the importance of this intellectual property that universities create.
“If you’re working with a spreadsheet, you might not realise how valuable that is. Over a period of time a simple text file can become sensitive information. That’s the case with companies. It’s particularly the case with universities because we’re in the business of creating things,” explains Faily.
Other data that universities keep and must protect relates to their many thousands of staff and students. Aruba, HPE’s Ilum notes that the retail and healthcare industries are normally thought of as being the most obvious targets for hackers since they store “a wealth of lucrative financial and medical data”, but universities “actually store just as much valuable information”.
“Campus systems process an abundance of rich data including payment information, personal details and medical records of applicants, students, alumni and faculty,” he says.
Some of this material is the type that criminals will be willing to pay for on the “dark market”, putting a premium on ensuring that it is secured.
“The university has to protect the sensitive data – really detailed information on students, sensitive information and about each student and each staff member – where they live [for example] – no different from any organisation,” says Professor Kevin Curran, a professor of cybersecurity at the University of Ulster in the United Kingdom.
“They have to have the proper intrusion-detection systems; endpoint security; state-of-the-art monitoring of the network.”
However, some observers say that, with less money to spare than many corporations, universities may have more limited budgets for cybersecurity.
There have been cases where universities have fallen victim to cyber-attacks, leading to damaging publicity and, potentially, harmful consequences for those affected.
The University of Wisconsin-Madison, for example, announced last year that it was introducing a new cybersecurity risk management policy following a 2016 check incident in which more than 1,000 social security numbers of former applicants were stolen, and a 2009 hack of computers in the chemistry department. The new policy involves categorising information on university databases according to its sensitivity.
A challenge facing universities is, says Illum, ensuring that their networks are secure without student productivity being impeded.
He advises them to have a network that is granular enough to show the individual people and devices that are connecting to it.
“The devices people choose, the locations they work in and the people they send data to are always in flux – and the network has to be able keep up with all this change,” he says.
“This requires it to monitor how many devices are connecting each day, and how quickly patterns of network uses are changing, and then adapt its policies in real-time.”
Illum suggests that universities employ behavioural analytics to enable them to analyse their entire network collectively. “Machine learning can be employed to find the small changes in activity that will highlight a likely breach, allowing institutions to avoid breaches that could result in a loss of personal information,” he explains.
In a blog published in 2016 ResilientIQ’s Erin Brady said the universities and colleges should consider using a third-party vendor to carry out a risk audit and determine where vulnerabilities lie.
Another key point, and one that many universities act upon by providing online advice to students and staff, is the need to educate users.
“Universities must ensure they continue to remind users of the security risks, as well as the processes and tools that have been put in place to prevent them – but in a way that doesn’t position IT as a barrier,” says Illum.
Bournemouth University’s Dr. Faily also points out that aside from the risk to the institution’s network, individual academics may be particularly vulnerable to fraudsters because of the amount of information about them that is available online. “Academics put their lives out there because they want to find collaborators,” he says, adding that even personal details such as marital status may be found in a search, allowing hackers to build up a detailed knowledge of individuals.
“It’s much easier to carry out a targeted attack on academics than [people] working in a commercial organisation making it more important for them to take a highly precautionary approach to cybersecurity,” says Faily.