³§“Ē³Ü°ł³¦±š:Ģż
iStock
Increasing awareness, training and robust technical controls can protect universities from attacks as staff work remotely
The coronavirus pandemic has changed the ways in which universities work. There has been a mass migration to online platforms and personal devices as academics and administrative staff perform their duties from home. This disruption can expose institutions to a heightened risk from a variety of digital threats, particularly phishing campaigns, and underlines the importance maintaining good cybersecurity practices.
āI think criminals of any nature have always been opportunistic,ā says Gareth Packham, head of information security at Oxford Brookes University. āIĀ donāt think there are new risks, but IĀ think in some cases, yes, the risk level has increased. But if your cybersecurity department has been doing its job well, there shouldnāt be any nasty surprises.ā
The ideal scenario is one where phishing campaigns are caught and neutralised by the universityās IT infrastructure before reaching an individualās inbox. Packham says that āevent-drivenā and seasonal phishing attacks are par for the course. Typically, attacks spike in September and October, when staff and students return to campus, and commonly take the form of emails to students touting bogus hardship schemes. With the Covid-19 outbreak, phishing attacks maintain a similar topical cynicism and are tailored accordingly. Many are unsophisticated but, if not caught by university IT systems, the best line of defence is that individuals are aware, and for universities to offer support to all users of its systems through training and clear communication of best practice.
This is easier said than done, says John Chapman, head of the security operations centre at Jisc, the UK education and research technology solutions not-for-profit. āEven seasoned professionals, including those in IT and cybersecurity, can fall victim to a really specific phishing campaign,ā he explains. āWe are all working long hours. We can all be distracted ā maybe you have young children at home who you are trying to home-school. It is very easy to click on something that maybe you shouldnāt have, or wouldnāt have if you were more alert, or back in the office. In an office, you also typically have someone you can turn to and ask if theyāve also had a suspicious email, which isnāt as easy to do in a home environment.ā
Like all large organisations, universities have many points of entry for cybercriminals. Chapman says tackling this āever-changing threat landscapeā should be planned from the ground up, with information security embedded as part of the universityās broader digital strategy. He cites showing the increasing number of universities passing the UK governmentās Cyber Essentials certification scheme ā up from 14Ā per cent in 2018 to 44Ā per cent in 2019 ā as a positive trend. Passing Cyber Essentials enables organisations to demonstrate a solid grounding in the fundamentals of cybersecurity, and should be accompanied by cybersecurity awareness training for everyone across the organisation. āGetting the board and the directors to buy into your cybersecurity strategy and getting that embedded throughout the whole organisation is key,ā he explains.
Cybersecurity is both a technological and a cultural issue. With more universities adopting cloud-based services to manage their data and systems, there may be a change to the risk environment, as cloud-based systems are managed externally with a third party possibly responsible for updates and security patches. This, allied with IT safeguards such as compartmentalised systems and isolated networks, can help universities mount a sound technological defence against cyberattacks.
During lockdown, enforcing virtual private network (VPN) connectivity from managed devices to university-hosted systems and implementing multifactor authentication can further mitigate risks. Solving the cultural issue requires getting the communication right, and a little more finesse.
Tom Stoddart, assistant director of information security at Manchester Metropolitan University, sees universitiesā cybersecurity challenges as predominantly cultural, with the huge variation in the type of work undertaken by different departments resulting in the need for bespoke communications and training to raise staff awareness.
āThe idea that there is any one-size-fits-all approach that is going to pique everybodyās interest is nonsense,ā he says. āSo we have spent quite a lot of time trying to find different senior sponsors for pieces of work and doing our best to adapt our message for different departments.ā
Packham agrees. āIĀ think it is more about making sure people know what the risks are,ā he says. āAt Brookes, IĀ champion a risk-based approach to cybersecurity and working with data. Not all data is of equal value, either to the organisation itself or an attacker. But if you are working with HR or student data, thatās when you probably do need to seek guidance with people like myself or the team aroundĀ me.ā
Such measures are now more timely than ever. āTraining and awareness are particularly important when people are working from home,ā he adds. āIf staff do not understand how to do things safely and securely, then all the policies and procedures in the world wonāt help.ā
about Jisc and cybersecurity.
This article was commissioned by Times Higher Education in partnership with Jisc, the UK body for digital technology and resources in higher education, further education, skills and research.
