Universities present a high value target to hackers. Whether it’s the cutting-edge research that’s being created or the highly connected people that sit within a university’s network – all are a lure for hackers.
Universities are being hit by hundreds of successful cyberattacks every year, with more than 1,152 intrusions into UK networks recorded in 2016-2017.
What’s more, universities have constantly changing populations of students and staff which provides cybercriminals with a regularly refreshed list of targets.
With email addresses easy to guess, it doesn’t take much for a cybercriminal to launch a broad sweeping phishing attack, in the hope that one unsuspecting staff member or student will click a malicious link and allow their device to fall under the control of the attacker.
Many of the staff within a university also have very public profiles. Hackers can research specific details about a lecturer’s practice area and the emails they’re likely to receive; providing perfect fodder for a spear phishing attack that even the most vigilant employee may fall victim to. The students too are often of a generation that shares a lot of information via social media. This is another way hackers can build up a profile to successful spear phish, gain user credentials and potentially achieve access to the network.
Get this right, and your students and staff could in fact become your biggest security protection
Beyond phishing attacks, once a hacker is inside a network, further damage can be done. The valuable pools of cutting edge research act as a honeypot to hackers to launch a ransomware attack, for example, where they encrypt the highly sensitive information and demand money in return for its decryption. Often this information would be too valuable to lose – and with a lack of regularly updated, robust back-up systems in place – could result in the victims paying the ransom. Just last year, University College London was hit by a ransomware attack that brought down its shared drives and student management system.
For City, University of London, improving defences against email-based phishing attacks, in particular, has formed a critical part of its overall security strategy. It initially tested the water with a scenario run during the annual freshers’ week, to provide an indication of how susceptible the university was to phishing attacks, and then embarked on a full deployment with Cofense.
To counteract the phishing threat and consequential security implications of a breach, universities need to have a multi-pronged approach to security. While it is critical that internet users are conditioned to recognise a phishing attack by giving them intelligence on phishing email trends and encouraging regular reporting, this practice has other benefits to the organisation. If phishing emails are reported quickly, they can be investigated and analysed to understand the breadth and penetration of a security incident. With users in a regular habit of reporting phishing emails, security teams are also able to get to work quickly to triage the threat and take any steps needed to expel the hacker from the network and minimise the damage done.
Having all of these aspects of security working together is fundamental to counter any cyber-attack. What’s especially important, however, is that this process begins with a well-informed, conditioned employees and students; they are the university’s first line of defence.
In a world where security breaches make the headlines daily, many educational establishments and businesses are taking a technology-only approach, removing permissions and powers from employees in the hope that this will contain the risk.
The fact is, cyber threats aren’t an IT issue solved with an IT deployment, they need human-focused defence. Get this right, and your students and staff could in fact become your biggest security protection.
Aaron Higbee is chief technology officer and co-founder of Cofense. To find out more about their work, visit their website.