Protecting Higher Education Institutions from Cyber Threats
Read time 5 mins
Sadly, in 2022, it is no longer shocking news to report that cyber-attacks against businesses are on the rise. Indeed, the UK Government has encouraged organisations to be vigilant of cyber threats and follow its guidance to strengthen cyber security practices since almost one in three businesses (31%%) said they now experience breaches or attacks at least weekly.
Ever opportunistic, cybercriminals are also targeting universities, colleges, and schools; institutions, which, across 2021 and 2022, experienced a surge in ransomware attacks.
Truthfully, a concerning 92% of higher education institutions have identified breaches or attacks in the last twelve months, according to the 2022 Cyber Security Breaches Survey – attacks which left significant operational and financial costs in their wake and caused horrendous disruptions for staff and students alike.
A closer look into the same government survey uncovers that 71% of higher education institutions also experienced a negative outcome from the reported cyber-attacks, such as a loss of money or data from a breach. Around 9/10 (88%) reported being negatively impacted regardless of whether there was a material outcome or not. Additionally, half of those surveyed stated their accounts or systems were compromised and used for illicit purposes. Most commonly, educational organisations indicated the need for new measures to be brought in to prevent or protect against future breaches or attacks.
Why is higher education so vulnerable?
Cyber security is – as it should be – a huge concern for higher education institutions. In fact, news reports around the issue indicate that they can be viewed as somewhat ‘easy targets’ by cyber criminals – compared to other organisations with higher security budgets, less stretched IT teams, and modern, well-constructed cyber security systems.
More than this, and even before the pandemic hit, higher education institutions were known to collect massive amounts of data from students and faculty, presenting a wealth of opportunities for cybercriminals. Of course, this has ballooned in recent times now that many universities also offer hybrid or fully remote curriculums.
The most common attacks seen at higher education institutions include:
According to the Cyber Security Breaches Survey, higher education institutions are significantly more likely to identify viruses, spyware, or malware (59%) on their systems, with the most obvious benefit to cyber criminals being financial gain. Usually, attackers install malware that encrypts the victim’s files, essentially holding them hostage and demanding payment to restore access to the information. Hackers can also directly attack the institution’s payment systems, accessing or impersonating accounts payable and extracting money.
As previously mentioned, higher education institutions have enormous data stores that house the personal information of students, staff, providers, and vendors. Think addresses, telephone numbers, NI numbers, and even sensitive data like medical records and academic transcripts. Criminals that hack into these systems can then use the information to exploit or extort the institution or specific individuals. As with other types of organisations, phishing is the most common threat vector used to extract data from higher education institutions. In a phishing attack, the hacker will pose as a trusted entity and exploit that trust to trick the user into providing sensitive information like passwords or bank account numbers. Phishing typically happens through email or social media messaging.
Many colleges and universities are also functioning research institutions, and theft of intellectual property, especially in critical areas like medicine or engineering, e.g., can inflict severe damage and yield fast results for attackers. Attackers can get information on research findings that they can sell to competitors or other countries to influence their economies or policies. Cyber criminals can also hold the stolen information hostage, demanding a ransom payment for its release.
Distributed Denial-of-Service (DDoS) attacks
This type of cyber-attack wherein cyber criminals aim to render a computer or server unavailable for its intended user(s), e.g., students and researchers at a university. DDoS attacks work by over-saturating the usual functioning of the device like a traffic jam in which nobody can move, overwhelming and flooding the target with requests until the machine can no longer perform. These attacks come from multiple sources and are difficult to contain since institutions cannot simply block a single attacker. DDoS attacks are particularly nefarious because they may be carried out to exact revenge against an institution, to slow it down, costing time and money. They can also be used as a distraction while criminals perpetrate additional attacks.
Helping higher education institutions protect themselves
Several strategies exist for combating the types of cyber-attacks described above. Some involve strategies which everyone in the higher education community, including end users, must implement, and some that higher education IT professionals must employ themselves or with the help of an experienced managed cyber security service provider.
To better protect themselves, higher educational institutions might consider the following:
Conducting a cyber assessment / tabletop exercise
Cyber assessments are designed to identify areas of security weakness inside organisations – from technology, people and processes, and policies to procedures, controls, and standards. Once complete, the aim is to implement strategic changes that will mitigate risk, whether these speak to IT infrastructure issues, out-of-date software, or gaps in knowledge.
Equally, tabletop exercises are designed to help organisations identify and prepare for different risk scenarios. Usually involving internal and external stakeholders, the tabletop exercise considers several simulated scenarios that could negatively impact the institution and analyses the crisis management capabilities of the organisation in question. Once complete, recommendations for change can be implemented to further secure and protect the institution.
Outsourcing cyber security services, e.g., managed detection and response (MDR)
The benefits of employing a managed cyber security provider include the service’s ‘independence’ from IT. This is beneficial since far too many organisations lumber their internal IT teams with the responsibility of cyber threat protection, detection, and response, which can lead to a lack of focus as the team becomes overstretched. In some cases, it can also lead to overworked IT teams losing or hiding vital cyber security information in an effort to get by on top of their other important duties.
Outsourcing cyber security also has the added benefit of cross-pollination of intelligence from other institutions and industries the managed services provider services. In addition, they come bearing unique, niche skill sets that would greatly benefit the institution’s cyber security strategy. Dedicated cyber security professionals can be difficult to recruit and retain and require constant training on new threats and cybersecurity strategies.
Increasing user education and awareness
User awareness training is key to battling the sort of errors in judgement cyber-criminals hope end users at higher education institutions will make, e.g., downloading a document from an unknown email source or reusing passwords across multiple accounts and devices.
User awareness training provides employees with the information they need to understand online threats, identify red flags and potential attacks, and take appropriate actions to protect themselves and the organisation they work for/attend. As well as its educational properties, user awareness training is designed to keep knowledge and understanding fresh in users’ minds and reinforce cyber security best practices.
If you would like to discuss Littlefish’s cyber security services and how we can help your higher education institution become cyber-prepared, feel free to contact us through our get in touch button.