How to resolve the cyber security risks facing universities today
What are the biggest cyber security risks facing universities today? External security breaches or the actions of those within the institution? Could it be staff and students that are putting their own and their university’s digital safety at risk?
Ransomware attacks are still the biggest cyber concern for universities, but fear is growing in the sector and phishing/social engineering are coming a close second. With universities relying more on online systems than ever before – classes and communications delivered digitally; even accommodation access is now through a digital card – the interactions of staff and students could be opening your university up to a cyber attack.
What are the challenges?
When we think of a cyber attack, we think of a university being hacked by a criminal gang; the IT team will be making this a priority. But there are so many other ways that open an institution to problems. Preventing these problems is something that all staff and students should be aware of; digital resilience is key to a university’s cyber safety.
The naivety of students is a factor that needs to be addressed; this can be even more acute in the international student population. We think of young people as tech savvy, but the criminals, as always, are more talented and inventive and will gain access to systems and personal data in a variety of ways:
- Scam e-mails and texts
- Cat fishing
- Threats and extortion
- Unexpected money
The list goes on as criminals find new ways to gain the information they want. Scare stories of students being scammed out of thousands of pounds, by e-mails threatening their family, and even lured to destinations through fake online friends, only to be physically harmed, have been featured regularly in the media. Data leaks are another common media topic. It only takes one click when someone is rushing or panicking, because the e-mail always provides a sense of urgency, and it’s done: the university’s systems are breached, resulting in unwanted media coverage, which can impact the institution’s reputation.
Although these crimes may seem isolated and linked only to the student or staff member that has been targeted, they can have larger consequences as they can also contain malware that, once in the system, can cripple a university, from accommodation key cards and e-mails to phone systems and building admittance. Which is why we need a multi- university approach to combat the infiltration.
Cyber security training and education are how we can work to combat this. With around 80% of university staff undergoing compulsory training but only 5% of students, according to recent figures from JISC, there is massive potential for improvement.
Including warnings of cyber threats in the welcome security talks/ online content will bring awareness to students, and may help quell the influx; regular updates and reminders will also help embed good practice for staff and students. Forewarning and training is the only way universities will reduce instances of breaches.
There is also a physical aspect to this. Most universities have card access, and we tell staff and students to not let anyone tailgate them into a building, or to challenge when there is someone they don’t recognise, but they are not given the verbal tools to do this without being confrontational. To prevent this, role play and verbal cues during safety training should be compulsory, enabling students and staff to challenge in a safe and confident way.
We may think that this problem only involves technology, but there can be far-reaching consequences beyond data. When students have been scammed, losing money and private information can contribute to mental health issues, and if the financial loss is too great it may lead to them dropping out of university. Which no university would want.