Source:
iStock
Increasing awareness, training and robust technical controls can protect universities from attacks as staff work remotely
The coronavirus pandemic has changed the ways in which universities work. There has been a mass migration to online platforms and personal devices as academics and administrative staff perform their duties from home. This disruption can expose institutions to a heightened risk from a variety of digital threats, particularly phishing campaigns, and underlines the importance maintaining good cybersecurity practices.
“I think criminals of any nature have always been opportunistic,” says Gareth Packham, head of information security at Oxford Brookes University. “I don’t think there are new risks, but I think in some cases, yes, the risk level has increased. But if your cybersecurity department has been doing its job well, there shouldn’t be any nasty surprises.”
The ideal scenario is one where phishing campaigns are caught and neutralised by the university’s IT infrastructure before reaching an individual’s inbox. Packham says that “event-driven” and seasonal phishing attacks are par for the course. Typically, attacks spike in September and October, when staff and students return to campus, and commonly take the form of emails to students touting bogus hardship schemes. With the Covid-19 outbreak, phishing attacks maintain a similar topical cynicism and are tailored accordingly. Many are unsophisticated but, if not caught by university IT systems, the best line of defence is that individuals are aware, and for universities to offer support to all users of its systems through training and clear communication of best practice.
This is easier said than done, says John Chapman, head of the security operations centre at Jisc, the UK education and research technology solutions not-for-profit. “Even seasoned professionals, including those in IT and cybersecurity, can fall victim to a really specific phishing campaign,” he explains. “We are all working long hours. We can all be distracted – maybe you have young children at home who you are trying to home-school. It is very easy to click on something that maybe you shouldn’t have, or wouldn’t have if you were more alert, or back in the office. In an office, you also typically have someone you can turn to and ask if they’ve also had a suspicious email, which isn’t as easy to do in a home environment.”
Like all large organisations, universities have many points of entry for cybercriminals. Chapman says tackling this “ever-changing threat landscape” should be planned from the ground up, with information security embedded as part of the university’s broader digital strategy. He cites research showing the increasing number of universities passing the UK government’s Cyber Essentials certification scheme – up from 14 per cent in 2018 to 44 per cent in 2019 – as a positive trend. Passing Cyber Essentials enables organisations to demonstrate a solid grounding in the fundamentals of cybersecurity, and should be accompanied by cybersecurity awareness training for everyone across the organisation. “Getting the board and the directors to buy into your cybersecurity strategy and getting that embedded throughout the whole organisation is key,” he explains.
Cybersecurity is both a technological and a cultural issue. With more universities adopting cloud-based services to manage their data and systems, there may be a change to the risk environment, as cloud-based systems are managed externally with a third party possibly responsible for updates and security patches. This, allied with IT safeguards such as compartmentalised systems and isolated networks, can help universities mount a sound technological defence against cyberattacks.
During lockdown, enforcing virtual private network (VPN) connectivity from managed devices to university-hosted systems and implementing multifactor authentication can further mitigate risks. Solving the cultural issue requires getting the communication right, and a little more finesse.
Tom Stoddart, assistant director of information security at Manchester Metropolitan University, sees universities’ cybersecurity challenges as predominantly cultural, with the huge variation in the type of work undertaken by different departments resulting in the need for bespoke communications and training to raise staff awareness.
“The idea that there is any one-size-fits-all approach that is going to pique everybody’s interest is nonsense,” he says. “So we have spent quite a lot of time trying to find different senior sponsors for pieces of work and doing our best to adapt our message for different departments.”
Packham agrees. “I think it is more about making sure people know what the risks are,” he says. “At Brookes, I champion a risk-based approach to cybersecurity and working with data. Not all data is of equal value, either to the organisation itself or an attacker. But if you are working with HR or student data, that’s when you probably do need to seek guidance with people like myself or the team around me.”
Such measures are now more timely than ever. “Training and awareness are particularly important when people are working from home,” he adds. “If staff do not understand how to do things safely and securely, then all the policies and procedures in the world won’t help.”
Find out more about Jisc and cybersecurity.
This article was commissioned by Times Higher Education in partnership with Jisc, the UK body for digital technology and resources in higher education, further education, skills and research.
