By Dr Ben Silverstone
Pinning specific motivations to the nature of cyber-attacks can be difficult; seemingly targeted attacks often turn out to be part of an indiscriminate snowball approach, whilst others are highly focused with specific aims. The recent WannaCry attack is a good example of something that may have initially appeared as a direct attack on the NHS infrastructure, but later emerged as a blanket attack that found victims wherever it could.
The UK higher education sector is a similarly large and technology-dependent area that could be subject to similar attacks in the future. However, there are things that can be done to help prevent them.
What became clear in relation to the WannaCry attack is that many of these types of incursions rely upon users to engage with the malicious software and then spread it.
Staff and students at higher education institutions are likely to receive numerous emails throughout the day. Suspicious attachments from email addresses that clearly do not represent the organisation claiming to have sent them, such as couriers and banks, are one of the most common vehicles used to instigate these types of attacks. The action taken to block external emails confirms this in the case of WannaCry. A good approach is to keep work emails for work only, swap registrations for shopping and subscriptions to a personal account so that it is much easier to spot emails that should not be there. Deleting the suspicious email and then reporting to the IT department is essential. If it turns out that the message was genuine, then it is likely that the sender will follow it up.
Infrastructure and Guidance
Going hand in hand with user vigilance is the need to ensure that infrastructure and user guidance is up-to-date and fit for purpose. Many educational institutions choose to outsource a number of their outwards facing IT systems, such as email and web hosting, and in doing so help to ensure a degree of safety. It is worth checking the measures put in place by the outsourcing partner to counter cyber-crime, and to proactively work with them to ensure the safety and integrity of systems.
Users at all levels should also be provided with the necessary guidance and support, being kept up-to-date on the measure in place to protect system integrity and the action that they need to take in the event of suspicious activity.
It is always worth planning for the worst and considering what to do if something were to happen. External systems that are used heavily by universities are subject to attacks, and there needs to be a plan in place if they cannot be used. Attacks – or suspected attacks – on online platforms might result in the systems being taken offline; for education institutions, this could impact on students’ life and work, so an alternative is essential. The same could be said of email and cloud sharing systems: what is the plan if these happen to be taken offline?
Whilst nobody likes to think of the worst, disaster recovery and maintaining business as usual operations in the event of an attack are important in reducing the impact of potential incursions.
Don’t be a Target
This is an interesting and potentially controversial consideration in reducing the chances of attacks. Organisations can set themselves up as targets by the way they communicate their beliefs, the business that they do or their perceived moral standpoints. Cyber criminals, who are driven not by greed but by the perception that their actions constitute a socially acceptable act, target such organisations to make a point. Outwardly controversial opinions or actions from a university could set it up as a target for an incursion designed simply to cause as much disruption as possible.
Cyber criminals tend to want something, whether it is to address social justice or to gain something, perhaps financially, as a result of their actions. It is worth considering what a person would have to gain from a direct attack against a specific institution. If the institution considers this, then there can be practical steps beyond simply increasing security measures to help reduce the chances of something happening.
Protection against opportune attacks is a case of increased vigilance, as discussed. Increasing security measures is only part of the story; there is no point in putting an extra lock on the door if someone is there to open it and let the criminals in. Consideration should also be made of the potential for malicious intent that arises from internal sources. This can be very difficult for organisations to police, but should be in the minds of those that monitor network activity.
Ultimately, attacks can be avoided by a combination of vigilance, up-to-date infrastructure and an outward facing stance that does not seek to make an institution a target. Despite all of this, there will be a reason why an attack is launched in some form or another, and therefore contingency plans need to be robust and effective.
About the author
Dr Ben Silverstone is the course leader for computing and quantitative business at Arden University. Ben is an IT security expert who specialises in email governance, business security, and user experience. He has a PhD in engineering.
Ben has spent over a decade in academia as a lecturer, mainly in business, specialising in the integration of quantitative and soft elements of management science. In 2014, he was awarded a Fellowship to the World Business Institute and in 2016 he was awarded a Fellowship to the Royal Society of Arts.