Security Fridays Week 19Chris Cassell 25/09/2020 Industry News
Why the education sector can no longer ignore cybersecurity
Educational establishments do find themselves in a really difficult position when it comes to cyber security and I certainly don’t envy them. On the one hand they are profit making businesses and some make a great deal of money which makes them targets for attacks and places on them an onus to be secure. On the other hand, they are there for the purpose of education and significant expenditure that doesn’t go directly to educational resources can be hard to get past the board who do not potentially understand the risk that cyber attacks can really bring.
This event along with several others unfortunately proves it’s time for the administration of such places to understand that they have grown to be regarded as serious targets worthy of attention and that it’s time for a change in attitude to protect themselves and their students. They tend to forget it is not just financial losses they need to protect themselves against, but also the damage that can happen to their students if they leak those details like a sieve.
While this article speculates it was a ransomware, almost all attacks nowadays are multifaceted and generally can (and do) involve theft of that data before they encrypt it to stop the organisation accessing it.
Now remember, that data contains records of students, young people just starting out in life who are already likely to have to put themselves in a great deal of debt to pay for their course. Imagine the damage if fake student loans are opened in their names, credit cards or other debts. The damage to credit rating and their personal identification could be devastating at a time they are already going to be struggling.
Then looking at the attack itself, a lack of security costs educationally as well, cancelled exams, unable to handle clearing, no access to learning resources.
The simple truth is, you want to run as a business, make money as a business and hold massive amounts of personal information as a business? Then you need to step up and put in security like a business as it is vital to be able to continue to do the function people are paying you for. That is a lesson that needs to be learnt across almost all universities I’ve spoken to.
Things that could help :-
1 – Security training, not just for staff, but for students too. It should be mandatory and kept up to date, after all it is an educational establishment.
2 – Secure Data segregation, the sensitive data the university holds should be in secure enclaves far, far away from anywhere students can access, it’s far more likely for malware and phishing to land on a student endpoint and there’s no need for them to have direct access to that sort of secure data.
3 – Enforce endpoint requirements for connected devices. Use 802.1x to control what can connect to the network and make sure that only devices with an appropriate security stance can connect. It might make it a little trickier for some students, but it will instil decent security practises and ideas in them at the beginning of their career and that will serve them throughout their work lives.
Read the article that was analysed here: https://www.infosecurity-magazine.com/news/northumbria-uni-campus-closed/