With higher education experiencing digital transformation and universities increasingly vulnerable to cyberthreats, it is imperative that institutions take proactive measures to mitigate the risks
Amid a landscape of ever evolving threats, the UK higher education sector is not taking enough steps to bolster its cybersecurity. This was the opinion of speakers at a session held by Elsevier at THE Digital Universities Week UK 2022.
With a background in the National Hi-Tech Crime Unit, Pascal Hetzscholdt, senior director of content protection at Wiley, described some of the risks universities faced. Cybercriminals do not distinguish between the methodology of their activities, he said, but instead use artificial intelligence to look for vulnerable devices and networks. Once they identify a vulnerable organisation, they dig deeper.
“The most common attacks were birthday or Sweet32 attacks,” Hetzscholdt said. “These are attacks that break encryption and see what the username and passwords and credentials are of the people accessing platforms.”
Criminals can track users of a compromised platform to access and exploit more data. But universities can protect themselves through collaboration, partnering with organisations such as the Scholarly Networks Security Initiative. The goal is to create situational awareness that could be a catalyst for action.
“Create some business intelligence around that and make sure that both your platform and your content ecosystem use tracking analytics to see who are your users,” Hetzscholdt said.“It is not enough to just send a report to your manager, right? You also want to do something to mitigate the attacks.”
Alexis Brown, director of policy and advocacy at the Higher Education Policy Institute, has conducted extensive research into cybersecurity, working with Jisc on a 2019 project that found universities to be especially vulnerable to spear phishing attacks. Researcher behaviour was a vulnerability, she said.
With universities moving more operations online, secure IT practices were crucial. Academics needed to be aware of the UK government’s Trusted Research Guidance, and it was important that cybersecurity was embedded within a broader risk management framework. There is a wealth of resources to inform universities on how best to secure their networks, with Universities UK planning to circulate tailored advice for the sector later this year.
“Universities UK is going to revise these guidelines to make them easier to integrate within university structures,” said Brown. “There is a lot of training going out around export controls. The work is being done, but we have a long way to go before integrating this effectively in how researchers do their work.”
Closing the session, Lesley Thompson, vice-president of academic and government strategic alliances (UK), considered the future of cybersecurity. "As we look forward, if there are opportunities for us to be more open and collaborative in this space, that would leave us in a stronger position leaving this room than we came in," she said.
Find out more about Elsevier.