Cost-cutting in universities has left institutions at risk of cyber attacks from disgruntled staff, it has been warned.
Glen Gooding, cyber security partner with consultants EY Oceania, said staffing changes triggered by the Covid recession may have left IT teams without enough personnel to manage cyber risks. Those who remained may be less attentive – and, in some cases, actively hostile – because of grievances over staff reduction programmes.
“On-site IT staff [often] hold a lot of the keys to the kingdom,” Mr Gooding said. “That insider threat is something that universities and organisations in general should be looking at. Those IT folks could be maliciously minded and bring down sites. They could take data with them.”
Australian universities have been cutting thousands of jobs as Covid-19 triggers expectations of a huge decrease in international student revenue.
The cyber risk associated with this coincides with the shift towards online course delivery and the rise of the home-based workplace significantly increasing the “surface area” for cyber attacks, as students and academics harness a multitude of devices and software that could be used to infiltrate university systems.
Adding to the danger, Mr Gooding said, some universities have cut costs by contracting out teaching or student services. “Who knows how well those third parties are delivering their own cyber security controls?”
Australian cyber concerns have largely focused on external threats, in the wake of high-profile attacks on the Australian National University in 2018 and 2019. The first reportedly lasted for months while the second netted the infiltrators years’ worth of personal information about staff, students and visitors.
Education and research institutions regularly attract attacks such as a series of “denial-of-service” strikes that temporarily disabled the University of Queensland’s website in August last year. Ransom attacks on overseas universities, along with data raids and the reported theft of intellectual property concerning coronavirus vaccination, have prompted questions over whether universities spend enough on cyber security.
Catherine Friday, EY Oceania’s managing partner for government and health sciences, said academic freedom made cyber security especially challenging. “There have historically been far fewer controls around the systems used within university compared to other organisations of similar size,” she said.
She said redundancy programmes and systematic underpayment of casual staff – an issue recently reported at 10 public universities – had eroded the “trust” between staff and university executives. Compounding the problem, universities were seeking further savings through robotic process automation.
“That can produce great economic efficiencies but it also can increase the risk profile of the university [through] the hackability of those algorithms and the fact that the automation programs also run the risk of disengaging even more staff,” Ms Friday said.
She said automation would centralise systems that had traditionally been diversified. “The quantum of data within a smaller number of processes is going to increase exponentially.”
This will bring “joy to the criminals’ hearts”, Mr Gooding said. “We’ve made their life so much easier, because we put all that valuable information in one spot.”
He said universities must avoid dismissing cyber security as a niche problem for “techy” people. “It’s not an IT issue. The most senior levels at the university, across the multiple faculties and campuses, all need to be culturally rewired to keep cyber front of mind as a business problem.”