There has been a sharp rise in the number of ransomware attacks on universities and higher education institutions since the beginning of the pandemic. In fact, one recent study claims the volume of attacks within this sector doubled in 2020, compared to 2019, with the average ransom standing at $447,000 (£328,134). Furthermore, according to the Cyber Security Breaches Survey 2021, by the Department for Digital, Culture, Media and Sport (DCMS), 91% of further education (FE) colleges surveyed said they had suffered a phishing attack over the past 12 months. Around a quarter (26%) of FE colleges admit they experience breaches or attacks at least once a week, which is on a par with the average business (27%).
Also in the last 30 days, Microsoft reports the education sector has encountered 5.6m malware attacks, making it as the most affected sector. To give some context, the second most impacted sector, which is business and professional services, reported just over 853,000 attacks in the same 30-day period. According to the World Economic Forum Global Risks Report 2020, cyberattacks rank first among global human-caused risks. Clearly, the threat level for the FE sector is particularly high, and while students continue to receive more and more of their learning online, the consequences are far-reaching. FE institutions need to give urgent priority to protecting themselves, their data, and their students from future attack.
Why is further education being targeted?
Fundamentally, cybercriminals are motivated by money and data: while most FE institutions may not be cash rich, they house a wealth of data that is perfect for extortion, blackmail or sabotage. In the case of universities particularly, research data and IP are often the primary target, and over the past year, COVID-19 research data has become an obvious motivator. For example, in February, one of the world’s top biology labs at Oxford University, undertaking valuable COVID-19 research, confirmed its systems had been compromised by attackers. Evidence suggested the bad actors had gained access to machines used to prepare biochemical samples, though the university refused to comment further on the scale of the breach. In the college sector, student data is also an attractive target, for identity theft.
In the wider FE sector, criminals are primarily looking to gain access to institution networks in order to use them as a springboard for other attacks, under the guise of being a trusted institution.
Another factor is that often we are dealing with reputationally motivated criminals, and if they can add a prestigious university to their list of exploits, this will enhance their standing or profile within the cybercrime community. Political motivation, competition, or international espionage can also be driving forces for nation states wanting to gain advantage over other countries, in matters such as the COVID-19 vaccination programme.
The high-performance computing (HPC) infrastructures of universities are also being targeted for bitcoin mining, which requires heavy computer calculations to verify transactions. As the currency’s value rises, so does its energy consumption, requiring large amounts of energy, and universities often have huge computational capability sitting idle and unmonitored, making them attractive targets. Last year, supercomputers across several European universities, including the University of Edinburgh, had to be shut down following an infection with cryptocurrency mining malware.
What makes FE institutions particularly vulnerable to attack?
Regretfully, universities and FE institutions are in a vulnerable position: not only are they attractive targets to cyber criminals, but additionally, they can be easy targets, lacking the resources required to properly secure their networks. Culturally, education establishments are set up to share and collaborate, and are trusting of the parties they do this with. Bad actors have taken advantage of this relaxed approach and collaborative culture. Additionally, universities were some of the first institutions to have internet access and so they’ve been targets for some time, meaning their security practices are well known to cyber criminals.
To compound the problem, many HE institutions are dealing with aging infrastructure, which is decentralised and controlled by many different departments, meaning that no one has overall control or visibility. Attackers also frequently target FE networks through their remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN), which can offer easy access points for their known vulnerabilities.
Many universities and colleges also fail to plan for an attack and overlook the importance of regular penetration (pen) and disaster recovery (DR) testing. If their systems are compromised, they have no way of restoring data, and their systems can be down for months, affecting students and their learning for quite some time; not to mention the reputational damage, financial damage, costly investigations, and loss of research funding, as well as unforeseen costs to rectify previously unknown security holes. In the FE sector, pen and DR testing are often overlooked due to a lack of resources, staff, and time, as organisations struggle to justify the cost amid other, more pressing priorities.
Large user churn is also a massive problem for education providers, with students leaving annually and new ones beginning. To compound the problem, the sector has a growing issue with BYOD policies, with thousands of students using their own devices to access the network, which the institution then has little or no control over. The risk is that a user opens a personal email using a webmail account, such as Gmail, which unleashes malicious software. This device could then fire up a VPN to access university services, potentially giving the malicious software access to the university’s network.
How can FE institutions ensure their data is secure?
While the risk of attack will remain, there are definite steps the FE sector can take to improve their cybersecurity measures and reduce the chances of falling victim to malicious attackers.
Introducing complex domain credentials and multi-factor authentication (MFA) across all user accounts is a good starting point, so if cyber criminals can breach login credentials, it’s more difficult to exploit them for access around the network. Additionally, adopting a Least Privileged Access methodology is sensible, limiting users’ access rights to only what they need to do their job or their course. Adopting a Zero Trust approach to security is also needed to ensure users and devices connected to the network are continuously challenged at all levels, along with Artificial Intelligence and Machine Learning anomaly detection. Zero Trust is a security concept based on the principle that organisations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.
Decoupling data and applications from the endpoint device and adopting a centralised delivery model for services is also necessary within FE. Institutions that have adopted a centralised delivery model have dramatically reduced their attack surface, accelerated security patching and simplified recovery capabilities. Also moving applications and data repositories to SaaS options where possible, which eliminates the reliance on VPN to access university hosted services and goes some way to solving the burgeoning BYOD issue. Looking further ahead, the uptake of Chromebooks, for example, to replace BYOD, could prove a far more secure method for FE, since there is no history to date of them being compromised.
Furthermore, it is critical that penetration and DR testing are prioritised and carried out regularly, to ensure a sufficient back-up plan is in place where data can be easily recovered in the event of a breach. From this, an effective Cyber Incident Response plan can also be created and communicated. Education is essential, and students and staff need to be made keenly aware of the dangers of phishing attacks, particularly via email and web pop-ups.
Ultimately, with the number of incidents affecting the education sector growing, it is no time to be complacent. Currently, a mere 0.3% of all reported cybercrime complaints are enforced and prosecuted, and so the onus is on FE to put sufficient deterrents in place and ensure that their data is safe. The FE space has undergone unprecedented change over the past 18 months as a result of the pandemic, but transformation must continue at the same pace. The threat level within education will only continue to grow, even once in-person teaching resumes in September, and so it is critical FE institutions do all that they can to avoid being an easy and attractive target.
Mark Sweeney, Regional Vice President, UK & Ireland, Citrix