Cybersecurity in higher education
Cybercrime is rising, and there are some juicy targets in the HE sector. Kevin O’Malley explores why that matters, and asks what can be done about it
What’s the problem?
Student Loans Company suffered just shy of a million attempted cyberattacks in the last fiscal year. The organisation says that “malicious online activity affects every organisation” and that 99.9% of the recorded attempts in 2017/18 presented an “extremely low level of threat”.
The comments, made by an SLC spokesperson during an interview with IT Pro, may seem to make light of what is a serious issue for higher education. Data is money, and education has a lot of it (data, that is). SLC reckons the damage is limited. Our spokesperson went on to say that, “The apparent increase in 17/18 figures is largely due to changes in the way security incidents are recorded.
“It is also worth stressing that, while we remain permanently aware and vigilant, every one of these attempts was detected and prevented at an early stage, with no violation of systems or data security.
“Cybersecurity will always remain a top priority for SLC and we continue to invest in the technical expertise and resources required to keep information safe.”
However, one of these attacks succeeded, infecting the SLC.co.uk domain with a Monero cryptocurrency mining virus. The infected domain was hosted by a third-party server. The SLC insists none of the sensitive financial data it holds was at risk.
The majority of polled universities don’t offer any cyber security training to students – John Chapman, Jisc
The information came to light following a Freedom of Information request made by think-tank Parliament Street.
Why was SLC targeted?
The SLC holds the financial data for every student who takes out one of its loans. In their 2016/17 annual report, the SLC revealed they had processed 1.8 million applications. That alone would have made it a tempting target for cybercriminals – and given the amount of personal data that universities hold, that’s worth considering.
But the truth is broader than that. What happened to the SLC could happen to anyone. A global increase in cybercrime has made cyberattacks a fact of life for every public institution and private enterprise in the UK. According to the government’s Cyber Security Breaches Survey 2017, seven in 10 large businesses operating in Britain identified a breach that year. The average cost was £20,000 – in some cases, millions were lost.
The survey also demonstrates how businesses holding electronic personal data on customers were much more likely to suffer cyberbreaches than those that did not (51% compared to 37%).
The most common breaches or attacks were via phishing emails – coaxing staff into revealing passwords or financial information, for example, or opening dangerous attachments – followed by viruses and malware, such as people impersonating the organisation online and ransomware.
Economic impact of cyber crime:
2015: $3 Trillion
2021: $6 Trillion
Businesses also identified these common breaches as their single most disruptive breach, and the vast majority of them could have been prevented, according to the report, using the government-backed, industry-supported Cyber Essentials scheme, a source of expert guidance showing how to protect against these threats.
These findings are still relevant today. According to Cybersecurity Ventures, cybercrime is due to cost the world $6tn by 2021, up from $3tn in 2015.
Are further HE attacks likely?
According to Dr John Chapman, head of Jisc’s security operation centre, “Universities are just as at risk from cybercrime as any other sector in the UK. Jisc’s research shows that higher education organisations consider the top cyber threats to be phishing and social engineering, ransomware/malware and lack of awareness of good security practice by users.”
The problem appears to be partly structural. “Due to the large number of students and staff within an institution, the fact that a large proportion of the user population changes every year, combined with the number of devices every user has means that human error will always play a part in cybersecurity.”
Chapman suggests the solution is compulsory security training for students and staff. The figures for uptake are troubling. “Unfortunately, Jisc’s 2018 cybersecurity posture survey showed that only 57% of universities that responded provide compulsory staff training (up from 48% in 2017) and 29% give optional training. However, only 3% advocate mandatory student training, with 38% providing optional training. Worryingly, 51% don’t offer any cybersecurity training to students.”
The dangers of poor security are excessive. “Universities that do not adequately protect themselves risk the loss or exposure of personal student and staff data and also commercial, institutional and research data that is valuable to cyber criminals operating domestically and internationally.
“We were surprised, therefore, that our 2018 survey indicated that members seem unconcerned about one of the threats that is big in the media and high on the list of priorities for security agencies. In 2018, the National Cyber Security Centre (NCSC) took the rare step of publicly naming a nation state when it published a document in collaboration with US security agencies stating that Russian state-sponsored cyber actors were targeting network-based intrusion detection system (NIDS) devices.”
The UK’s higher education sector was targeted twice in 2018 by international cybercriminals. The Mabna Institute, an Iranian government contractor, attempted to steal data from British institutions via the ‘Silent Librarian’ campaign of cyberattacks. Stolen Pencil, a North Korean group targeted individuals associated with universities to trick them into downloading malicious browser extensions. However, in a recent Jisc survey, only one person listed international cyberattacks as a worry.
How is the industry responding?
The rise in cybercrime is cause for alarm, but it’s being met by an increase in security in tertiary education. A spokesperson for the NCSC says: “NCSC experts work closely with the academic sector to improve their security practices and help protect education establishments from cyber threats.
“Every organisation must act to ensure their online security is as robust as possible, and we strongly urge them to follow the world-leading, best practice cybersecurity advice on the NCSC website.”
Jisc also advises organisation-level protection. “While it’s our job to protect our members connections to the national research and education network, Janet, our members take responsibility for their own cyberspace,” says Chapman.
“We help by providing a range of security services and expert advice, which includes access to our computer security incident response team (CSIRT), advice in dealing with and recovering from security incidents, and guidance towards achieving the government’s security standard, Cyber Essentials.”
Jisc’s efforts don’t stop there. It is currently running Exercise Mercury, an ethical hacking competition between 20 UK universities. The competition aims, for the first time, to benchmark security posture in the higher education sector and to share the resulting information for the benefit of the whole sector.
Exercise Mercury, which is free for all participants, was launched at the Jisc cyber security conference in November 2018 by keynote speaker, Kieren Lovell, a communications and cybersecurity expert. Lovell said: “What we learn will help universities to protect themselves from hostile cyber actors, who are a growing problem for all organisations. It will also give university security staff invaluable experience in ethical hacking.”
Once all 20 universities have been tested, which will take about six months, the data will be collated and information on common vulnerabilities shared throughout the UK higher education sector by Jisc.
Universities are also addressing the problem directly. For instance, CUCCIO (the Canadian University Council of Chief Information Officers) have put together a security special interest group that handles nothing but higher education internet security for all of the associated universities.
Some have gone even further; to quote Luc Roy, chief information officer at Laurentian University, “Six universities have joined together to undertake a proof-of-concept project for a shared Canadian higher education security operations centre. The project participants are investing significant time and money to address concerns related to the increasing frequency, complexity and severity of cybersecurity threats facing higher education institutions, and to develop a shared solution for the unsustainable scope and costs of successfully managing these threats, including early prevention, detection and mitigation.”
The unifying thread of all these efforts is collaboration. By exchanging information with other institutions and sharing expertise with each other and security organisations like Jisc and the NCSC, higher education bodies can develop a stronger defence against cyber criminals.
What does the future look like?
“Cyber threats are not going away,” says Chapman. “With 173 different higher education providers engaging with Jisc’s Computer Security Incident Response Team during 2018, that’s 19 more than in 2017. But I think universities will become more mature in their cybersecurity posture, getting better at detecting and preventing cyberattacks through a combination of awareness-training, more sharing of cyber threat intelligence, easier access to cheaper tools and systems and benefiting from the services the Jisc security operations centre can provide.”
Causes of breaches:
- Miscellaneous errors: 17.7%
- Insiders and privilege misuse: 16.3%
- Physical theft and loss: 15.1%
- Denial of service: 15.0%
- Crimeware: 12.4%
- Web app attacks: 8.3%
- Point-of-sale intrusions: 0.8%
- Cyber-espionage: 0.4%
- Payment card skimmers: 0.2%
- Everything else: 13.8%
He added: “It’s true that, if a specific threat actor is determined to attack your institution, then there may be little you can do, but if they are trying to find an easy victim to use to attack another site (whether inside or outside the education sector) then there is much you can do to make your organisation an unattractive target.”
You might also be interested in: Cyber security needs you! James Hadley, CEO & Founder of Immersive Labs, talks about how accessible cyber security is to everyone