John Hurst, Public Sector Sales, CyberArk, explores the cybersecurity risks that higher education institutions are facing
It’s fair to say that a lot has changed in the UK higher education sector in the last two years. By now we’re all familiar with the initial challenges that the pandemic posed, from remote learning and research to student ‘confinement’. But even with restrictions now relaxed, challenges remain: many universities face a struggle for funding after first-years deferred or dropped out last September, and international enrolment is expected to be down by 10% this academic year. Add to that the continued controversy over physical versus virtual classes, with institutions trying to balance student satisfaction with safety concerns, and you have a pretty complex picture.
From a technology perspective, we know the scramble to deliver classes and conduct research remotely prompted a range of different technologies to be adopted at speed. But it isn’t so widely known that in the rush, cybersecurity was often an afterthought, with many institutions now far more exposed to cyber threats than they have ever been. As we face a new academic year, cyber attackers are expected to take advantage of the confused and highly vulnerable state of institutions, creating an urgent issue which they simply can’t afford to overlook.
Universities make particularly attractive targets due to the masses of valuable research data they often handle, in combination with sensitive staff and student data. Equally, attack-related disruption has become even more powerful in the context of remote learning, which the University of Hertfordshire discovered the hard way last term, when all classes, email, and data storage were suspended for two days due to a ransomware attack. The NCSC warned that similar ransomware attacks had featured the loss of student coursework, institution financial records, and COVID-19 testing data too, showing that every aspect of a university’s data footprint is vulnerable.
Beyond the campus perimeter
In the context of academia becoming more distributed, security now needs to extend beyond campus. University resources that would usually be accessed via on-campus, secured Wi-Fi for example are now facing an unsecured journey from users back to the campus network. The chaotic nature of the rapid transition to this model means procedures were often implemented without the requisite security, and many remain vulnerable, despite having installed anti-virus (AV) software and some form of multi-factor authentication (MFA).
The fact they are ‘open environments’ with the autonomy to research and govern independently, unlike most private sector organisations, is a big part of why they’re so susceptible to hackers with malicious intentions. A Freedom of Information request only a few months into the pandemic corroborated this, with more than half of UK universities reporting a data breach to the regulator in the 12 months prior to July last year. The motivation for such breaches can vary, with some purely down to human error, but more often than not attackers are seeking either to steal information or products, bypass expensive research and development, recruit individuals for espionage, or spread false information for political or other purposes.
These targeted attacks aren’t unique to the UK’s universities, either. A recent FBI report over in the US recently ranked higher education as the number one target industry with ransomware. To put this into perspective, this ranked it higher than financial services, which has not only been the market leader historically but also handles trillions of dollars a day in executing transactions. So attacks on higher education really are big business.
Stealing credentials is often the first goal of these attacks, with hackers seeking unrestricted access so they can find – and hold to ransom – important data and functions. Universities present an especially attractive target because so many individuals in their broad leadership teams retain privileged access. Think the Vice-Chancellor, the Provost, the Finance Director or the CIO – all of these positions bring with them a huge range of privileged access. Locking down the privileges associated with such positions should therefore be a cornerstone of any security strategy.
A moving target
Securing privileged access and identities shouldn’t be limited to senior leadership, though. The dynamic nature means that users’ access privileges at all levels, from visiting professors requesting access to specialist software to students leaving for a term to study abroad, need to not only be secured but managed consistently, in the event they should change.
For example, a visiting professor may be granted a staff login and access to privileged resources on the university network. If nobody monitors closely when they leave, their ‘leftover’ credentials become an easy way in for an attacker. The institution, therefore, has to keep a close eye on active and dormant accounts to make sure they can be secured when somebody leaves.
Vigilance against such attacks is critical, as they can come in various forms. Some attackers might email students to reveal they’ve obtained their personal data, for example, and instruct them to contact university administrators and urge them to pay the ransom. Such a scenario puts the institution in an extremely difficult predicament. Either they pay and take a financial hit, or don’t pay and suffer reputation loss among the student body, which often leads to decreased enrolment and financial hardship.
Where to start with your defence
Adopting the principle of least privilege is a critical starting point for any higher education institution’s security strategy, and must be closely followed by a Zero Trust framework. The latter is an essential tool to securing campus IT systems because it stipulates that no user can be trusted until they have proven their identity on multiple occasions, through differing means.
IT teams at universities also need to acknowledge that attackers will inevitably succeed in getting in from time to time. Thinking like an attacker is critical in this context. Each team must take action to prevent credential theft, and limit the access that stolen credentials can grant any attacker. This can be done through auditing, finding unsecured accounts, and limiting the access that individuals have to only the tools necessary for their role.
Then, they should ensure that those with access to high-value information like sensitive data and administrator privileges are using extra layers of security, such as regularly changing passwords, and using multi-factor authentication for login. The final piece of the puzzle is for security teams to ensure security teams have access to security solutions for every area of campus, at all times, to make sure there are no pathways left unlocked.
It’s a scary world out there. Attackers are as eager to learn as most students, with the only difference being they want to use their skills for illegitimate purposes. Facing these threats with the help of a well-equipped team, with the right tools to blunt their attacks, is critical to maintaining UK universities’ reputation for academic excellence.