The university challenge – are academic institutions a national security weak link?

(Image credit: Image source: Shutterstock/Sergey Nivens)

As we become more digitally connected, so the potential of being targeted by cyber-attacks increases. Regardless of sector or organisation type, dealing with a barrage of threats is now commonplace. UK councils were subject to nearly 100 million attacks in the last five years; 60 per cent of large businesses and over 50 per cent of high-income charities report having cyber security breaches in the last 12 months; a small business is successfully hacked every 19 seconds.

Hostile parties, whether criminals, state-sponsored hackers or hacktivists, are continually looking for easy ways into networks and data sources. They want maximum return from minimum effort, whether their end goal is profit, nation state intelligence or operational disruption.

Certain organisations, such as those dealing in national secrets and highly sensitive research, are guarded by the appropriate security mechanisms when part of a government organisation. What happens, however, when they exist outside of traditional structures and defences? What if, for example, they are explored and housed in universities?

As seats of learning, higher education institutions they are uniquely placed to support early-stage, government-backed research exploring the cutting edge of innovation in a variety of fields. This is vital, not only to further national interests, but for the institutions to be able to differentiate themselves and generate revenue in an increasingly crowded marketplace.

According to a recent survey Dell EMC and VMware conducted, research programmes are now worth on average £22 million to UK universities annually.

However, the very nature of these programmes means they attract unwanted attention from hackers. Whether state-sponsored or financially motivated, the cybercriminals targeting UK universities have access to an increasingly sophisticated arsenal of digital weaponry which institutes of higher education may not be prepared for.

A fact of life

As with other sectors, it appears UK higher education has to cope with regular cyber-attacks – a quarter of senior IT leaders at universities responding to the study admitted their institution was targeted on a daily basis.

This means they are well aware of the impact of a successful attack – over half of respondents believe that a successful cyberattack on their research data could result in serious financial loss for their institution.

It isn’t just a revenue issue, either – with a third of respondents conducting research in the interests of national security, one in ten strongly agree that a successful attack could have a harmful impact on the lives of UK citizens.

So they are aware of the consequences, but how does that translate to preventative action?

Unfortunately, at this stage it appears not to have increased budgets – almost half recognise that a lack of IT investment is one of the forces driving the need for more robust cyber security practices. That means better education for staff and students on basic cyber hygiene principles, from robust password practices to being wary of unsolicited attachments on emails.

This is vital, since half of respondents believe teaching staff and students are most likely to be the causes of data breaches, with one in six pointing to researchers as the biggest contributors to shadow IT at their institution.

At a time when budgets will continue to be stretched, and cyber threats become ever more sophisticated, universities need to ensure that those human weak links are strengthened considerably.

Keeping ahead of a complex landscape

To keep ahead of this complicated, potentially threatening landscape, universities need to consider these five points:

1.            Rather than trying to keep up to date with the different techniques cyber criminals will use to launch a hack and escape detection, or chasing threats after they have already caused havoc in the network, universities should look to adopt a more “knowing good” approach to security. This means focusing on approved behaviour for applications and services, rather than trying to block all unknown activity or potential threats.

2.            IT needs to act just like a business, positioning itself as the best, most attractive option for technology needs, otherwise staff or students will be tempted to look elsewhere for their requirements. This can lead to the rise of Shadow IT, with significant security implications. By providing a creative, agile platform that can deliver support quickly, these internal risks can be avoided.

3.            Balancing a culture of openness, access and seamless experience whilst ensuring security is a tough challenge for any organisation. Often staff or students, unaware of the role that they play in security, may unintentionally ‘open the door’ to hackers. User education is critical and the only way to maintain balance is to educate everyone on their collective responsibility when it comes to security.

4.            The networks and security of universities needs to be more dynamic than the threats they face. Bolting on security products as an afterthought to protect against these threats will not keep pace with their evolution and disruption. The best approach for universities is to make security intrinsic to everything they do and build in protection to IT infrastructure and applications right from the start.

5.            Universities should also take a more user-centric approach to security. They need to secure the user and their interaction with data first, building policies around students and faculty and the way they work before working backwards to the portals and channels that the IP is delivered over, and before focusing on on-premise and legacy infrastructure.

Protecting a heritage of academic excellence

British universities have long been celebrated around the world for their academic excellence, and the role they play in not only driving technological and social innovation through research, but also advances in defence and security.

It’s vital they protect that reputation yet keeping pace with today’s sophisticated cyber threats is an enormous challenge.

Those responsible for protecting universities and the data that they hold must examine how they can evolve practices and approaches in line with an increasingly complex threat landscape, including cybersecurity as a consideration at every stage of the research process by design.

Louise Fellows, Director, Public Sector UK&I, VMware