It’s difficult to imagine life as a student without the computer systems that keep university life running smoothly. From submitting an essay to checking a presentation from a lecture, thousands of students and staff depend on being able to work online. If access to the network fails, the cost can be massive: both teaching and learning suffer, and so will the organisation’s reputation and bank balance.
For all these reasons, it’s vital that higher education institutions keep up with the latest threats to their cybersecurity, and make sure they know how to deal with them effectively.
It’s a big task, says Dr John Chapman, head of the security operation centre at Jisc, a not-for-profit membership organisation providing digital solutions for the UK education and research sector. “There’s a whole range of things that institutions need to do to protect their students, staff and data from cybercriminals,” he points out. “Undertaking end-user training, regular vulnerability scans and system patches, attack monitoring and putting in place mitigation and incident response plans – all these things can help minimise disruption to teaching and learning.”
For example, a massive distributed denial of service attack (DDoS), where attackers can crash a system by overloading it with traffic, could mean that students can’t access e-learning platforms for exam revision, or submit coursework. Malware, such as viruses, can also stop people logging on to systems, while ransomware can lock entire systems unless the hacker who holds its key is paid.
Then there’s the threat to the huge amounts of data universities hold. That could encompass highly confidential personal information about students and staff, as well as valuable research data. “If criminals or nation states want certain intellectual property, then they could try and get that out of universities,” says Chapman. “It’s happened before and will continue to be a threat. A successful breach of this kind means that it’s not only the university and the researchers that suffer – it’s potentially the UK economy too.”
Cyber threats are ever-present. Last year, 173 higher education providers engaged with Jisc’s computer security incident response team (CSIRT). The service, which is available to all Jisc members, deals with more than 6,000 queries a year. These range from breaches of copyright, such as illegal film downloads, to urgent queries on how to remove malware, or to identify where a security breach has taken place.
Cybersecurity threats are always evolving and university cybersecurity experts must keep up with new criminal methods. For example, Chapman points out that phishing emails are becoming increasingly sophisticated. These fake emails look like they come from a real organisation – a bank, a university, even the institution’s finance department – and trick the recipient into revealing personal information such as their username or password, or to send money. Phishing is one of the most common ways to insert malware or ransomware on to a system, the consequences of which could be huge.
That’s why Jisc offers training to users at universities in how to recognise a phishing email. “One way of doing this is where our training provider, working with an institution, crafts a phishing email and sends it to a selected group of users without them knowing it’s a test,” says Chapman. “That can provide a good baseline of how susceptible staff and students are to such scams and indicates where training could be useful. Colleges and universities that have taken part in this activity have seen a marked decrease in the number of users who click on the link in the fake emails, and a definite increase in the number of suspicious emails that are reported.”
The Jisc team will also carry out penetration testing, or ethical hacking to test systems and networks against real-world cyber-attacks. This involves Jisc staff taking on the role of a hacker and seeking to find and exploit vulnerabilities, all within the law. A team of penetration testers will agree broad methods with the institution beforehand, explains Chapman, and will then do their best to break into the systems under scrutiny – sometimes using social engineering as well as online methods. “For example, a penetration tester could turn up outside a door which is normally locked, with a cup of coffee in each hand. People are always trying to be helpful, so they will often open the door without checking the person’s identity. Once the penetration tester has got access, they can plug in a laptop, get on the network and try to find useful or valuable data.”
But cybersecurity in higher education isn’t just a job for the technical staff: leaders also need to become more aware. “It’s definitely the case that leaders are starting to take cybersecurity more seriously,” says Jisc product manager Mark Tysom.
The government’s Cyber Essentials scheme, which launched in 2014, already provides a benchmark for institutions that want to protect themselves against the most common threats, and Jisc now offers advice for its members on how to attain Cyber Essentials certification. But the scheme is aimed mostly at IT departments. Now, a new standard has been developed – BS 31111:2018 cyber risk and resilience – which is aimed at executive-level leaders.
“Cyber Essentials is a good start, but the new standard will hopefully show governing bodies that they should not delegate the responsibility of cybersecurity to IT departments within an organisation,” says Tysom. “They need to take responsibility and demonstrate to stakeholders and customers that they are taking a top-down organisation-wide approach to cyber risk and resilience.”
Jisc offers a range of cyber security products and services to universities, along with advice on how to mitigate risk and deal with attacks
