Navigating higher education cloud security in the COVID-era

A cloud security policy should be an integral chapter in an organisation’s overarching cybersecurity policy

As institutions that have traditionally relied on in-person learning, the pandemic has significantly changed the way higher education establishments now teach their students. With government lockdown restrictions in place, physical lectures and seminars have had to move online, whilst still providing the same level and quality of education that would have been offered pre-pandemic.

To deliver on this new promise, higher education institutions have required a completely new, digital-first approach underpinned by cloud technology. While migrating to a cloud network enables organisations to handle large amounts of data from one central location, and provides more autonomy and flexibility to users, it comes with some challenges.

This article will look at the importance of mitigating the risks of cloud technology by developing a strong cloud security policy.

Higher education is under attack

Educational institutions make attractive targets for cybercriminals. As hubs of innovation holding data that includes ground-breaking research, breaking into their infrastructure will always prove to be a lucrative opportunity. With the implementation of e-learning across most educational institutions, organisations are effectively leaving themselves wide open to threat actors. The use of hybrid cloud networks, which are now commonplace among public sector institutions, increases the risks of challenges and vulnerabilities across the network further without close attention to the compliance and configuration differences between the public and private security platforms. For example, as these cloud networks are often internet-facing, potential attack methodologies include Distributed Denial-of-Service (DDoS) attacks. Such attacks can be highly damaging and disruptive to student learning; our State of Email Security research found that ransomware attacks caused an average of three days of business downtime per year in the UK.

Data breaches are also a constant threat. If they occur and an institution’s data falls in the wrong hands, not only would this be a hindrance to the progress of research projects but there is always the possibility of it being sold to unknown malicious actors.

There are also wider implications for higher education bodies that suffer data breaches – including the damage caused to their reputation. Students and staff based in higher education put their trust in that institution to properly protect their data and research. Similarly, intellectual property can be misused if leaked or stolen, since institutions can no longer protect (or control access to) research that was once exclusive to them. These organisations rely on their reputation as centres of academic and research excellence to attract students, so it’s vital to protect this reputation at all costs.

Creating a good cloud security policy

Forrester’s recent survey, HPC And AI In The Cloud: A Spotlight On Higher Education, shows that 50% of higher education IT decision-makers find security and privacy issues to be the biggest challenge they face when migrating to the cloud. When it comes to infrastructure challenges, 62% identified security and compliance as an area of concern. Institutions are recommended to implement a cloud security policy to address these concerns and:

  • Data monitoring/oversight abilities – downloading the wrong file or application can easily result in unwanted access to a higher education institution’s cloud network. To counter this, IT teams must have oversight over all endpoints that are connected to the network within the entire organisation – including remote campuses. By doing this, they can identify and quickly fix any vulnerabilities.
  • Limiting access to files, even internally – access control is crucial to reduce data exposure. Access of all internal files should be limited to those who require it as part of their role. If data access is to be extended to new individuals, then the IT team needs to be notified and the individual must follow proper procedure. For example, they may be prompted to enter their password or provide authentication in another form.
  • Compliance with appropriate legal governance and frameworks – this means ensuring sensitive data is stored and shared in accordance to GDPR guidelines. To make sure this is possible, staff must be properly GDPR trained so they know the correct way to store and handle data within their roles. Total compliance is only possible if security is considered a priority. This requires putting safeguards in place to ensure access to data – whether stored or in transit – is tightly controlled.
  • Mandatory cybersecurity awareness training – as power users of the institution’s digital learning and management platforms, both students and staff should undergo regular cybersecurity awareness training to ensure they are fully aware of the steps to follow. To be effective and foster knowledge retention, these training sessions need to be engaging. Training that is short and humorous results in higher levels of engagement and a positive change in cyber hygiene habits – effectively enabling staff and students to act as guarantors of the organisation’s cyber defences.

Along with the above, due diligence of third-party vendors providing cloud network services or helping to store data should be commonplace. Things to consider include the vendor’s reputation,  financial health and any policies or procedures the vendor has that could affect access or storage of the organisation’s data.

Changing world, changing threats

The nature of the cyber threats facing the higher education sector is constantly changing. As technology rapidly develops, so does the sophistication of the methods cybercriminals use for attacks. At Mimecast, our threat intelligence team has observed that cybercriminals increasingly tend to combine methods of attack to maximise damage caused to businesses they target. For example, targeting students through social engineering and the impersonation of apps, subdomains and even social media profiles. To address these new, sophisticated threats, higher education organisations need to deploy multi-layered security. This will enable them to stop threats early and ensure that their operations can continue at all times.

A cloud security policy should be an integral chapter in an organisation’s overarching cybersecurity policy. This policy should be developed as part of a long-term strategy, adapting to the evolving nature of threats to consistently thwart hackers. As threats evolve over time, this requires regular reviews and adjustments to the policy – as well as consistent training for staff and students to ensure they can always stay one step ahead of threat actors.


You might also like: ‘Technology fit for tempestuous times’


 

1 Comment
Leave a Reply