Higher Education and records governance: managing the risks

Universities and Vocational Colleges around the world have always been hubs of information sharing and collaboration. Free flow of information is essential for knowledge generation and research. But there is a dark side of data in higher education, and it’s important to know the risks and how to manage the risks.

What information is at risk?

Educational institutions are prime targets for cybercriminals. There are several kinds of attractive data held by these organisations, often at huge scale:

  • Personal information: Any identifiable information about persons, including basic biographical and contact details.
  • Sensitive information: Any information about persons that is sensitive (including health, ethnicity, criminal history and other sensitive information); as well as sensitive legal, FOUO or other information deemed sensitive by the organisation (including financial, technical and executive information).
  • National Security: Any national security classified information, or unclassified information with an equivalent national security business impact level. Many universities work in collaboration with national and international Defence forces on teaching and research.
  • Compliance: Information subject to relevant regulations which must be appropriately stored, maintained, and protected.
  • Intellectual Property: Information about cutting edge technology, which is a highly attractive target to steal (and can contain commercially sensitive IP from research collaborators in the industry).

What are the threats?

  • Cybercriminals: These actors are motivated by profit or ego, are highly capable, and are most likely to conduct ransomware attacks, or to steal intellectual property or credentials for on-sale. They may target systems simply to cause disruption attributable to them.
  • Foreign State Actors: These Advanced Persistent Threats (APTs) are most likely to target intellectual property to boost their own capability. They may also target government information, and sensitive or authentication information, that can be used in the event of a conflict to disrupt or influence government business and domestic operations. This group may include foreign corporations with the possible support of their nation state.
  • Issue motivated groups: These actors (‘hacktivists’) are most likely to attempt to steal sensitive information, and conduct denial of service attacks, in order to disrupt or expose what they see as controversial research and development.
  • Serious Organised Crime groups: These actors are primarily motivated by profit but have low capability, so may attempt to compromise individuals in order to commit contract fraud or facilitate transport of contraband.

All of these threat actors have varying levels of motivation and capability and continue to become more sophisticated. But it just takes one trusted insider for them to get in and cause damage.

Could it happen to us?

Well, it’s already happened to the Australian National University, Queensland University of Technology, and Deakin University in Australia. In February 2023 alone it’s happened in Germany, Switzerland, Austria, Italy, USA, Réunion, and Israel. So, chances are, it could happen to anyone at any time. The worst-case scenario is that you may not even know you have been compromised until it’s too late. Some threat actors have developed ways to hide their identities and what they are stealing. According to a report by PwC the use of obfuscation-as-a-service proxies has become the method of choice for these threat actors since 2022 to hide their tracks.

What do we need to do?

This is such a serious and wide-ranging problem that many governments have developed Taskforces and Guidelines to combat foreign interference and other hacking in the sector. The Australian Guidelines recommend the following three high-level steps:

1: Understand and proportionately mitigate cyber business risks, using techniques like threat models where possible, to inform the cybersecurity strategy. This means considering the threat actors listed above, and others, to really understand who would want the information and why. This helps predict how they might go about accessing it, and what kind of harm would happen if they did.

2: Implement a cybersecurity strategy that treats cybersecurity as a whole-of-organisation human issue and incorporates an appropriate controls framework. This means understanding what your information assets are and where they are, so you can implement appropriate controls around them, proportionate to their risk.

3: Participate in communities of best practice, which share cyber intelligence and lessons across the sector and government. Not all sharing is bad — we need to share lessons and findings with ‘friendlies’ in government and in partner institutions. We are stronger together.

Being proactive, knowing what information you have, where it is and who is doing what to it is the best way to mitigate the impact of a breach. Many regulators and universities have adopted Castlepoint as part of their control framework, and its ability to federate and make data governance reporting consistent across entities is critical for this purpose. Check out some case studies from the sector to see how other higher education institutions are using this cutting-edge software to identify and reduce their risks at scale.

What next?

Contact us for more information about how we can help you. We are trusted by Education and Research government agencies as well as by many Universities and higher education providers to solve the challenges of information security, privacy, and compliance.