Security Fridays Week 19 – Universities need to follow business best practices in keeping student data secure.
Educational establishments do find themselves in a really difficult position when it comes to cyber security and I certainly don’t envy them. On the one hand they are profit making businesses, and some make a great deal of money, which makes them targets for attacks and places the onus on them to be secure. On the other hand, they are there for the purpose of education. Significant expenditure that doesn’t go directly to educational resources can be hard to get past the board who do not potentially understand the risk that cyberattacks can really bring.
Unfortunately, this event, which closed down exams and a university systems, along with several other similar incidents, proves it’s time for the administration of such places to understand that universities have grown to be regarded as serious targets worthy of attention, and that it’s time for a change in attitude to protect themselves and their students. They tend to forget it is not just financial losses they need to protect themselves against, but also the damage that can happen to their students if they leak those details like a sieve.
While this article speculates it was a ransomware, almost all attacks nowadays are multifaceted and generally can (and do) involve theft of that data before they encrypt it to stop the organisation accessing it.
Now remember, that data contains records of students, young people just starting out in life who are already likely to have to put themselves in a great deal of debt to pay for their course. Imagine the damage if fake student loans are opened in their names, credit cards or other debts. The damage to credit rating and their personal identification could be devastating at a time they are already going to be struggling.
Then looking at the attack itself, a lack of security costs educationally as well, cancelled exams, unable to handle clearing, no access to learning resources.
The simple truth is, if you want to run as a business, make money as a business, and hold massive amounts of personal information as a business, then you need to step up and put in security like a business as it is vital to be able to continue to do the function people are paying you for. That is a lesson that needs to be learnt across almost all universities I’ve spoken to.
Things that could help :-
1 – Security training, not just for staff, but for students too. It should be mandatory and kept up to date, after all it is an educational establishment.
2 – Secure Data segregation. The sensitive data the university holds should be in secure enclaves far, far away from anywhere students can access. It is far more likely for malware and phishing to land on a student endpoint and there is no need for them to have direct access to that sort of secure data.
3 – Enforce endpoint requirements for connected devices. Use 802.1x to control what can connect to the network and make sure that only devices with an appropriate security stance can connect. It might make it a little trickier for some students, but it will instil decent security practices and ideas in them at the beginning of their career and that will serve them throughout their work lives.
Read the article that was analysed here: https://www.infosecurity-magazine.com/news/northumbria-uni-campus-closed/
Category: Industry News