Higher education institutions have long been a popular target for cybercriminals, offering a wealth of personally identifiable information and confidential research from which to benefit financially.
With complex setups and stretched budgets, universities are among the worst when it comes to protecting against cyber attacks. A survey conducted by the UK Government Department for Digital, Culture, Media and Sport found that 75% of further education colleges identified breaches in 2021. This figure is unsurprising, especially considering the rise seen in ransomware attacks.
Coping with an attack can be a real struggle for universities, impacting students and staff. Many of the incidents reported in the last year disrupted teaching, affecting student assignments and their wider learning. An attack on the University of Northampton, for example, caused deadlines to be pushed back because students were unable to access important course material and tutor feedback. With many classes and lectures operating remotely because of the pandemic, repercussions like these proved even more challenging than usual.
So how can higher education institutions tackle the growing cyber threat and keep their staff and students safe?
Better patch management
One of the biggest issues is the failure to ensure all software is properly updated and end-of-life software is fully removed from systems. Often it is this outdated software that bad actors will take advantage of, targeting vulnerabilities using pre-written coded exploits published online. The CVE (Common Vulnerabilities and Exposures) database works to identify and catalogue vulnerabilities and, at the time of writing, has over 169,750 recorded.
One well-known piece of end-of-life software, Adobe Flash, currently has 1,464 known, documented vulnerabilities, where a CVE has been recorded. Since Adobe Flash is no longer receiving security updates, bad actors could use one of these vulnerabilities by using a pre-crafted attack to gain access to any university’s system.
The bad actor needs only a foothold inside your network: any machine or device will do. From there, they can work on elevating their access levels using other exploits. For every 1000 lines of code for a piece of software, there are approximately 70 bugs that have the potential to become a vulnerability for exploitation.
Universities are dealing with a large number of applications and software on their network, so managing security updates can be difficult, but doing so will be the biggest contributor to reducing the chance of attack.
While removing end-of-life operating systems and applications can be quite trying on budgets, the cost of a breach for your organisation is likely to be significantly more
It’s therefore vital that all devices and software are updated as soon as security patches are released to avoid losing data and access to services. In many cases, it’s possible to apply updates automatically and this is strongly encouraged. Where you cannot, there should be a system in place to manually apply the updates once they’re released. Vendors may release security updates immediately or as a regular release in bulk, but once they release the fixes and details of the vulnerabilities identified, bad actors can use this information to create exploits, so completing the update as soon as possible is essential.
While removing end-of-life operating systems and applications can be quite trying on budgets, the cost of a breach for your organisation is likely to be significantly more, so it’s always worth considering the long-term investment and savings you’re making when implementing these cyber security measures.
Whilst a full vulnerability management program is by far the best way of addressing issues, completing, as a minimum, an annual vulnerability assessment is also a cost-effective solution to give you a clear picture of your security posture and help you locate any current vulnerabilities and get them fixed before it’s too late.
Security awareness training
Staff and student training should go hand in hand with any technical improvements as human error is likely to be the leading cause of cyber-attack.
With so many students and staff, social engineering is a key threat for universities, particularly by way of phishing emails, so educating all staff and students about these risks is vital so they understand the role they play in protecting the university and its data.
Simulated phishing attacks can be a good way of testing security awareness in a university. Consider allowing your IT department to see what emails are opened and links clicked on, in order to educate those staff most at risk.
Simulated phishing attacks can be a good way of testing security awareness in a university
Many universities are now even rolling out compulsory cyber awareness online modules, which can be a helpful way of managing such wide-scale training. Lots of companies are dedicated to offering services like this and plenty of free online resources can be found as well, such as the NCSC’s Top Tips for Staff.
Studies have shown, however, that while many are pushing this kind of training for staff, only 9% are mandating it for students.
Students may be harder to engage but making the effort to educate them on cyber security best practices will go a long way towards risk reduction. Students spend a huge amount of time online and will often be using university networks for all kinds of activities, including social media and web browsing, so ensuring that they can recognise potential threats and understand how to protect their data online is crucial.
Mobile security is another area that can often go overlooked in educational institutions. Mobile devices hold a large amount of personal data that hackers can target through similar techniques associated with desktop devices. Malware is a particular issue with mobile devices, often finding its way onto a device via app downloads, but students and staff are less likely to exacerbate this risk if they have an awareness of these sorts of issues. With effective training, they can adhere to proper guidance like only downloading apps from reputable sources and what to do if their phone is lost or stolen on campus.
In 2019, 80% of hacking-related breaches were reportedly linked to passwords and stolen credentials, so it’s clear why this is a major focus area for mitigating cyber risk in universities.
As part of any security awareness training, staff and students should be taught about the importance of good password health, how to generate strong unique passwords, and what to do when you think your credentials may have been compromised. Password policies are good practice to use as a central source of this guidance for staff and students.
While creating strong unique passwords is helpful, it is not going to single handily defend against cyber-attacks, as many bad actors have ways of decrypting or bypassing these. A layered approach is therefore needed, and one simple cost-effective method is enabling multi-factor authentication (MFA) for users logging into university networks.
While creating strong unique passwords is helpful, it is not going to single handily defend against cyber-attacks, as many bad actors have ways of decrypting or bypassing these.
Students and staff should be required to provide an additional form of authentication rather than just relying on the username and password combination. These solutions can normally be deployed easily, with no added product cost.
Since the pandemic, there has been a steep incline in MFA adoption but there are still many yet to put it in place for all staff and students.
Tackling the cyber threat in universities is a communal effort.
We’re likely to see attacks continue to rise, particularly ransomware and social engineering, and as such, it’s vital that staff and students work together to be cyber vigilant and make a conscious effort to follow security best practices.
From an IT perspective, developing a solid vulnerability management program will help to ensure the fundamentals for a secure environment are there.
One useful way to do this is by looking to achieve certain standards for cyber security that will encompass these critical controls.
The UK Government Cyber Essentials scheme is a good place to start for the education sector, giving institutions the assurance they need that they are largely protected against common cyber-attacks, and even be eligible for certain grants and funding.
The Department for Education also announced last year that they would be releasing a cyber tool to help educational institutions assess their security posture and better understand the risks facing them. Universities should take full advantage of these initiatives to support their cyber security efforts as they work to protect staff, students, and the organisation from potential attacks.
Clive Madders is chief technical officer and Lead Assessor at Cyber Tec Security. With over 25 years’ experience in the industry, Clive has built up an extensive repertoire as an Enterprise Solution Architect, delivering managed ICT support services, Cyber Essentials certifications and advanced security solutions to help improve the cyber security maturity of organisations across the UK.