Universities and Vocational Colleges around the world have always been hubs of information sharing and collaboration. Free flow of data is essential for knowledge generation and research. But there is a dark side of data in higher ed, and it’s important to know the risks and requirements.
What is the situation?
Educational institutions are prime targets for cybercriminals. There are several kinds of attractive data held by these organisations, often at huge scale:
- Personal information: Any identifiable information about persons, including basic biographical and contact details
- Sensitive information: Any information about persons that is sensitive (including health, ethnicity, criminal history and other sensitive information); as well as sensitive legal, FOUO or other information deemed sensitive by the organisation (including financial, technical and executive information).
- National Security: Any national security classified information, or unclassified information with an equivalent national security business impact level. Many universities work in collaboration with national and international Defence forces on teaching and research.
- Compliance: Information subject to relevant regulations which must be appropriately stored, maintained, and protected
- Intellectual Property: Information about cutting edge technology, which is a highly attractive target to steal (and can contain commercially sensitive IP from research collaborators in the industry).
There are a few different threat actors who want this information, some of which include:
- Cybercriminals: These actors are motivated by profit or ego, are highly capable, and are most likely to conduct ransomware attacks, or to steal intellectual property or credentials for on-sale. They may target systems simply to cause disruption attributable to them.
- Foreign State Actors: These Advanced Persistent Threats (APTs) are most likely to target intellectual property to boost their own capability. They may also target government information, and sensitive or authentication information, that can be used in the event of a conflict to disrupt or influence government business and domestic operations. This group may include foreign corporations with the possible support of their nation state.
- Issue motivated groups: These actors (‘hacktivists’) are most likely to attempt to steal sensitive information, and conduct denial of service attacks, in order to disrupt or expose what they see as controversial research and development
- Serious Organised Crime groups: These actors are primarily motivated by profit but have low capability, so may attempt to compromise individuals in order to commit contract fraud or facilitate transport of contraband.
All of these threat actors have varying levels of motivation and capability. But it just takes one trusted insider for them to get in and cause damage.
Could it happen to us?
Well, it’s already happened to the Australian National University, Queensland University of Technology, and Deakin University in Australia. In February 2023 alone it’s happened in Germany, Switzerland, Austria, Italy, USA, Réunion, and Israel.
What do we need to do?
This is such a serious and wide-ranging problem that many governments have developed Taskforces and Guidelines to combat foreign interference and other hacking in the sector. The Australian Guidelines recommend the following high-level steps:
1: Understand and proportionately mitigate cyber business risks, using techniques like threat models where possible, to inform the cybersecurity strategy. This means considering the threat actors listed in the blog post, and others, to really understand who would want the data and why. This helps predict how they might go about accessing it, and what kind of harm would happen if they did.
2: Implement a cybersecurity strategy that treats cybersecurity as a whole-of-organisation human issue and incorporates an appropriate controls framework. This means understanding what your information assets are, such as listed above, and where they are, so that you can implement appropriate controls on them, proportionate to their risk.
3: Participate in communities of best practice, which share cyber intelligence and lessons across the sector and government. Not all sharing is bad — we need to share lessons and findings with ‘friendlies’ in government and in partner institutions. We are stronger together. Many regulators and universities have adopted Castlepoint as part of their control framework, and its ability to federate and make data governance reporting consistent across entities is very useful for this purpose. Check out some case studies from the sector to see how other Higher Ed institutions are using this cutting-edge software to reduce their risks.
What next?
Contact us for more information about how we can help you. We are trusted by Education and Research government agencies as well as by many Universities and higher education providers to solve the challenges of information security, privacy, and compliance.