With universities welcoming a new student intake this month, one thing they must be prepared for more than ever are cyber-attacks.
Sunderland, Northampton and Hertfordshire universities in the UK all recently suffered major breaches, and cyber-attacks on the educational sector cost around £620,000 a year per incident. However, the consequences go beyond financial cost. They cause crippled systems, huge data loss, and stress for staff and students.
Having worked with universities like Reading to keep them secure, I’ve seen first-hand why they’re the most vulnerable targets for cyber-attacks. Universities sit at the centre of a perfect security storm. With blended learning approaches and recent mass migration to cloud environments, they’ve become highly exposed, especially as thousands of students move in and out.
These institutions involve an enormous pool of personal devices, with students who are relatively inexperienced with cyber training and willing to take significant security risks. Recent research shows that younger generations conduct more risky behaviour; for example, 93% of Gen Z workers utilizing corporate email for personal use.
Addressing Organizational Migration
Universities have thousands of people regularly entering and exiting their environment, which exposes them to further threats to resilience and security. Ensuring that the doors to a university’s data are locked behind departing students is a vital first step, and managing access and privileges to university data for new entrants should be a priority for university security policies.
The processes around onboarding and offboarding students must be kept as watertight as possible. Using technology like identity security, organizations can keep tabs on user access, with AI continuously monitoring this and detecting and flagging suspicious behavior immediately.
When a student, staff or faculty enters the university, they should be assigned a home group which designates entitlements for the user based on department and type of user (student, associate (guest) user or staff). They should then only be provided access to the specific file shares, databases and other tools that will aid in their experience at the university on day one.
The other side of this process includes removing access for staff and employees that leave the university – this must be done promptly on departure to avoid any continued access to information which can be taken away by the user. Worse still, if an account lies dormant, it is more vulnerable to being breached – without the university even realizing it. Since the access was never revoked, malicious actors can operate under the guise of the original user, making it easier for them to do as they please and steal sensitive information.
Dual Role Staffing Risks and Separation of Duties
At the same time, universities also include large numbers of staff with dual roles across their organization and other industries, creating more risk. Roles related to a practice (e.g., a professor working at a university and a hospital) mean there’s often a need to manage two sets of personas for each staff member.
Separation of responsibilities is a well-entrenched concept, but in reality, it can prove challenging. Defining what roles are forbidden to overlap is usually obvious, but with the growing number of apps and systems, administration can grow complex and error-prone. Add to the mix the different logins for various licenses and subscriptions used by employees during their time in an organization, and the situation can quickly spiral out of control, increasing the vulnerability of systems to exploitation.
Again, control over access is critical here, and access should only be granted in line with specific roles and responsibilities within individual organizations. This means that a professor’s university persona shouldn’t be affected in the event of a hospital breach, even if their hospital persona is.
Ongoing Identity Security
Identity security is always a core component of a successful security and compliance program, regardless of the industry. But its ability to govern all digital identities, including disparate user types found across higher education institutions such as students, faculty and staff, makes this an even more fundamental component that integrates all aspects of an identity program.
Through it, university IT teams can centrally manage access to all apps and data while ensuring access rights are appropriately reviewed and scrubbed, thus creating the foundation for other identity-centric functions such as single sign-on, multi-factor authentication and privileged access management.
With data breaches able to occur at any time and at short notice, strong overarching identity security significantly reduces the threat surface by ensuring users only have the least access and privilege needed to perform their job successfully. Access can be automatically adjusted when users change roles or jobs, minimizing risk and enforcing a least privilege model.
As institutions that are increasingly pressed for time, they’ll also have a strong speed advantage. By leveraging identity security, research suggests that higher education institutions can perform access entitlement reviews in a third of the time compared to the industry average.
Despite their extensive risk surface, universities have certain advantages over their commercial counterparts – and with a strong identity security framework in place, they can also become far less attractive targets to cyber-criminals in 2022.