A student connects his laptop to the university’s Wi-Fi network to access online resources provided by the institution. This is a routine activity in many academic institutions in India and across the world. But the student’s laptop is infected by a virus which spreads through the university’s network, crippling its digital services. This isn’t a hypothetical scenario. It is a reality that educational institutions face as learning becomes increasingly digital.
Cyberthreats Are Rising Against Educational Institutions
Let’s take a look at how the academic world has come under cyberattack:
- 300 universities across the world had more than $3 Billion in intellectual property stolen over 3 years by hackers
- A Yale University website was hacked by Princeton University’s head of admissions
- A former librarian of the University of Hawaii stole personal information of 150,000 students, staff, and library patrons to obtain fraudulent loans
- Maastricht University paid €220,000 as ransom to recover access to files after a ransomware attack
- A US study reports that cyberattacks on schools tripled in 2019 compared to 2018
We can see that cyberattacks on academia are quite varied. Some are large-scale well-planned campaigns to steal information while others are part of propaganda wars. Some are carried out by teams of elite hackers while others are accomplished by staff. Some are driven by commercial motives while others are the result of academic competition. The motives are many but the goals are the same, and the number of cyberattacks keeps increasing.
Why Are Learning Institutions Popular Targets For Cybercriminals?
Data is the gold that makes cybercriminals view academic institutions as a gold mine.
- Personal Data – Educational institutions are a treasure trove of personal data of students, staff, and many other stakeholders. This personal data is valuable as it can be used for identity theft
- Intellectual Property – Many universities undertake research activities and the research data and associated intellectual property have great value
- Critical Service – Learning institutions shape the minds that will create the future of the world. The critical service they provide, and the time-bound nature of the service, makes it more likely that they will pay a ransom to the cyber assailant
- Ease of Attack – Academic institutions are, by their very nature, a network of students, staff, administrators, management, regulators, contractors, consultants, other academic institutions, and many other stakeholders. This makes the attack surface very large and consequently such organisations are very vulnerable to cyberattacks.
How Can Academic Institutions Protect Themselves Against Cyberattacks
Academic institutions can protect themselves by implementing cybersecurity measures similar to those adopted by other large organisations, tweaked to suit the academic environment.
- Cybersecurity Policy – The Cybersecurity Policy is the heart of your institution’s cyber protection strategy. It defines roles, responsibilities, requirements, permitted use, and penalties for non-compliance. The policy should be made mandatory for all users and devices including emerging/future technology such as IoT devices, AR/VR headsets, and connected cars
- Password Hygiene – It is tempting to use easy-to-remember passwords, but that is why 86% of passwords aren’t safe. Follow our tips to create strong passwords and enforce them using your cybersecurity policy for all devices that connect to your university’s network including personal devices
- Password Discipline – Passwords are often shared between users in educational institutions, especially amongst students, defeating the purpose of the password. This should be strongly discouraged
- Privilege Control – Restricting critical data or IT asset access to registered users is not enough. Access privileges should have levels to ensure that registered users only have as much access to the institution’s resources as their roles and responsibilities require. For example, research data should be available only to the research team. Unfettered access, especially when combined with use of personal devices, increases your institution’s attack surface
- Hardware Lifecycle Management – This should be a comprehensive process that ensures that the institution only procures hardware where the manufacturer is known to support the device with frequent security updates; deployment of hardware is recorded and monitored; lost/stolen devices can be retrieved or remotely wiped; and devices are sanitised before disposal. This university’s hardware asset management statement will help you create a similar document for your institution
- Software Lifecycle Management – This should be broad enough to ensure that different departments use the same software for the same task, to avoid fragmentation, and specific enough to ensure that all users have updated their software with the latest security patches available. This university’s guide is a good starting place for framing your organisation’s software lifecycle management policy
- User Lifecycle Management – This ensures that cybersecurity is maintained from user onboarding to offboarding. The latter is particularly important, as a former employee should not continue to have access to the institution’s IT assets; data and network access privileges should be revoked immediately on exit
- User Education – An educated user is the first and best defence against cyberthreats. Learning about cyberthreats and cyber hygiene enables users to prevent cyberattacks, and educational institutions have the tools required to spread such knowledge quickly amongst their students and staff
K7 Security has helped many academic institutions cybersecure their campuses. Contact us to learn more about our enterprise-grade cybersecurity for the education sector.