5 ways universities and colleges can protect themselves from cyber attacks
During the UK’s enforced lockdown due to the COVID-19 pandemic, research has suggested that there has been a surge in malicious apps, websites, phishing emails and messages designed to trick the public and steal confidential or sensitive information.
Indeed, further data from The Chartered Trading Standards Institute has even suggested that the UK has been the most severely targeted country for COVID-19 related phishing emails.
Attacks on sensitive student data
While COVID-19 cyber attacks give the public additional reason to be wary with their personal data, the issue goes far beyond COVID-19 related scams for the education sector.
The National Cyber Security Centre (NCSC) yesterday (17 Sept) issued an alert to the academic sector. Cyber security experts have stepped up support for UK schools, colleges, and universities following a spate of online attacks, such as the Blackbaud data breach, which have the potential to de-rail their preparations for the new term, allow sensitive personal records to potentially fall into the hands of cybercriminals.
In recent months, we have seen numerous data breaches affecting universities. Whilst the most common reason for a breach is human error, sophisticated hacks from cyber criminals are unfortunately a familiar sight in this sector. Universities not only hold the personal information of their students, they often carry out government-commissioned research; making the risk not only a personal one, but a national one too.
A lack of investment in IT security, coupled with the false assurance of being ‘of little interest’ to attackers, makes the education sector an appealing target for cyber criminals.
So what can universities and colleges do to protect themselves from hackers?
Here are my top 5 tips on how universities could educate their staff and students to protect their personal data from malicious cyber attacks:
1. Train staff & students on phishing
Phishing is becoming more and more advanced. Every day, innocent people are lured into clicking false links and handing over personal or financial information as a result of phishing.
Phishing is a type of online scam where criminals send a communication that appears to be from a legitimate company asking for the user to provide sensitive information. People can be targeted through email or text message, which generally have a sense of ‘urgency’ about them – scaring those affected into believing they must share the requested information quickly.
Training staff and students on how to spot a phishing email is a good way to help prevent cyber attacks. There are a few key things to watch out for: including poor use of language, incorrect spellings, generalised greetings and incorrect URL pathways. General tips to follow include:
- Never clicking on a link within an email that you weren’t expecting
- Be aware that email addresses can be spoofed, even if they appear to be from a familiar organisation
- Hover the mouse over links before clicking them to see where they lead to
- Always log into accounts using your browser; not through a link in an email or text message
2. Tighten up accessibility
Keeping a firm hand on exactly who has access to your network and validating all user credentials on a regular basis will help to tighten up security. Without this, attackers can use authenticated profiles to access your database and steal information. This is a key part of cyber security, and will go a long way to ensuring the overall security health of your faculty. Some key steps to follow include:
- Ensuring that any new users are who they say they are. This means also granting a level of access appropriate to that person
- Implementing a suitable authentication process for new and current users
- Reviewing your authentication process on a regular basis to test for security gaps and accuracy
- When a service supports “two factor authentication” (2FA), always add it to your account security to protect accounts from password theft
- Always disable accounts and access when they are no longer required
3. Invest in good cyber hygiene
Universities and other higher education establishments hold an awful lot of personal information relating to their student body. From postal addresses, email addresses and phone numbers to unique student numbers, date of birth and gender. There may also be personal information on file relating to the background of certain students, any changes in circumstances or exam results. Basic cyber hygiene is therefore key to keeping this confidential information safe.
This includes patch management software, antivirus and firewall management. Ensuring that all security software is regularly updated and tested will help to create a good foundation for cyber security.
4. Update the network design
Establishing a good security system can be tricky for universities, particularly when ease of information-sharing is compromised internally. Updating the network design can help to facilitate this. Typically, university networks tend to contain a crossover of smaller networks for each department. Although this offers freedom for staff and students within these departments, it also presents a challenge when it comes to protecting data.
When designing a computer system that is both secure and functional, universities should pay attention to the following steps:
- Confirm all network elements and ensure there are no defensive ‘blind spots’
- Attackers can only penetrate what they can reach, so make your data difficult to access
- Understand your own system, so you can spot suspicious activity as it happens
5. Act fast – minimise damage
In reality, no system is ever entirely safe from hackers. Taking all the right steps to protect personal and sensitive data, and making the network difficult for hackers to access, is an absolute must. But cyber attacks are always evolving, and more and more advanced techniques are being developed.
It is key for universities to understand their networks, understand usual user behaviour, educate staff and students on data safety, and to act fast if any red flags are spotted. Having a crisis management plan in place and working closely with your security team will help to minimise any damage and disruption caused by a cyber attack.
Paul Cahill, Data Breach Solicitor at Fletchers Data Claims
Responses