For higher education institutions, the start of the new academic year was unlike any witnessed before. The sector was contending with trying to reopen campuses in a COVID-safe way for both staff and students, but also received a stark warning from The National Cyber Security Centre (NCSC) about the rising number of cyber-attacks against colleges and universities.
Currently up to a thousand attacks a year target higher education institutions across the UK, often in the form of phishing and ransomware attacks that can leave staff and students open to account hacking, credential theft and credit card fraud, and leave networks, which may house large amounts of IP and data, sometimes on behalf of industry and government, vulnerable. As a result, the institutions face substantial risks and security breaches can have significant and long-lasting repercussions.
Therefore, with security breaches often resulting in fines and GCHQ highlighting that it can take months or even years to recover after an attack, it is vital that higher education institutions identify where their cybersecurity risks lie and implement the right strategies to help maintain cybersecurity safeguards and protect data.
Strategies to Minimise Risk
To minimise risk and safeguard data, institutions must begin to adopt transparent strategies and policies. This includes backing up data and keeping it offline at certain points on a regular basis and monitoring network traffic and managing access controls. Additionally, with many thousands of staff and students to protect, active two-factor authentication should be considered to give every network user an extra element of security.
Higher education institutions must also plan for solutions in the event of a security breach and consider the possibility of shutting down an entire network or system for a period if needed. This potential plan will enable actions to respond to an attack and identify the infection point and reset and analyse the infrastructure allowing the institution to get back up and running safely. It will also allow the time to change passwords, update credentials and restore data as necessary as well as notify authorities of the breach as necessary to comply with data protection and security regulations.
Processing Data Securely
As universities and colleges process significant volumes of personal data, the sector must address how to do this securely and in a way that complies with the General Data Protection Regulation (GDPR). The most effective way is to establish governance for the protection of personal data, which starts with appointing a Data Protection Officer who will be responsible for ensuring that the institution maintains compliance and enforces and communicates a clear GDPR strategy across the community of the institution. They should also make the student body and full-time employees aware of the risks and consequences of failing to adhere to cybersecurity policies for the individual as well as the organization. Further to this, to safeguard against GDPR data breaches, the Data Protection Officer should monitor and audit the use of data on an ongoing basis to guarantee which policies are being complied with through the use of Data Protection Impact Assessments.
Additionally, it is critical that the institutions understand that ineffective and insecure storage and management of student data can severely impact the student experience long past their time with the university as much of the information stored will be required once they leave. Consequently, it is important that personal data and IP is protected. As institutions are data controllers of student data, they must work with their technology partners to implement the right data platforms securely and safely to store and transmit both student data and other resources. The most effective solutions will be those with security based on authentication, authorization, auditing and encryption. The authentication capabilities will allow the institution to verify the identity of all users, while authorization ensures that users can access the resources that they need, and no others.
Such a solution should also be paired with tried and tested cybersecurity strategies through defining and operationalizing how an institution identifies, protects, detects, responds and recovers from cybersecurity events and incidents.
Maintaining Security in a Changing Education Landscape
With an increase in remote learning due to the ongoing pandemic and the requirement to hold even more information on students for track and trace purposes, the amount of data higher education institutions are handling is only rising. But so too are the threats they are facing. It is, therefore, necessary that strategies are adopted to protect both the business and their students from growing cyber-threats. From technical initiatives such as implementing two-factor authentication for all, to organizational ones, appointing a Data Protection Officer and working with partners to adopt the right strategies and solutions, there are significant changes universities and colleges can make to reduce the risks and strengthen infrastructures.