With significant volumes of personal and research data, intellectual property and other assets stored within their technology infrastructure, higher education institutions have become another target for cyber-attacks. However, the threat has intensified in recent months, with a number of UK universities experiencing attacks in the last few weeks of 2020. In the face of growing cybersecurity risks, the National Cybersecurity Centre has recognised that these attacks will continue to pose a threat to the higher education sector, highlighting the need to proactively defend their networks against malicious activity to avoid any damaging repercussions.
If you take the example of phishing and ransomware attacks, these can cause severe disruption to both students and staff, leaving them open to account hacking, credential theft and fraud, but they can also do reputational damage, resulting in fines levied under data protection legislation. This is something recently experienced by several institutions, including Newcastle University , which, after suffering an attack caused substantial disruption to its IT systems, saw vast amounts of students’ personal data leaked on the dark web. As higher education institutions look to act on the fight against cybercrime, understanding how to safely process data and implementing data protection strategies will be critical.
Establishing data governance
With thousands of staff and students operating within the same community, universities and colleges process inordinate amounts of personal data every day and must do so in a way that’s secure and complies with GDPR. However, shortcomings in their processes and infrastructure are leaving some institutions and their data vulnerable to attacks. To overcome these issues, higher education institutions should begin by establishing governance for the protection of personal data. This includes the appointment of a data protection officer who will be responsible for ensuring that the establishment maintains compliance.
As part of this, the data protection officer should enforce and communicate a clear GDPR strategy across the entire institution. Although students agree to adhere to cybersecurity policies and GDPR when enrolling, it’s likely some will fail to comply with the regulations, so it’s imperative the risks and consequences of failing to adhere to such policies for the individual, as well as the organisation, are frequently reinforced. In addition to this, those in the position of safeguarding data need to monitor and audit the use of data on an ongoing basis to guarantee which policies are being complied with. The use of data protection impact assessments will be a key process here, helping to identify and minimise risks in any type of data processing to screen for factors that point to the potential for a widespread or serious impact on individuals.
Keeping data in safe hands
Ineffective and insecure storage and management of student data can have a profound and lasting impact on the student experience, not just during their time at a higher education organisation but even once they have graduated. Data record and research information is stored by universities and colleges long after students depart and become alumni, as it’s often required to share with future employers or even for medical purposes. Consequently, it’s important that personal data and IP is always protected.
As controllers of student information, institutions should work with their trusted and proven technology partners to implement a data platform securely and safely to store and transmit both student data and other key data applications. The most effective solutions will be those with security based on authentication, authorisation, auditing and encryption. The authentication capabilities will allow the institution to verify the identity of all users, while authorisation ensures that users can access the resources they need and no others. Additionally, auditing functions will guarantee that the institution has a log of user activities, predefined system transactions and application-specific events which the data protection officer can keep on record. This can be enhanced with encryption to protect information against unauthorised viewing, whether it’s stored in a database or being sent between systems.
Introducing cybersecurity strategies
These solutions should be paired with tried and tested cybersecurity strategies which define and operationalise how an institution identifies, protects, detects, responds and recovers from online attacks. By adopting such processes to test the effectiveness of the procedures the institution implements, and undertaking improvements as necessary, higher education institutions will be better able to mitigate risk and ensure students can access personal data in a timely manner should a breach occur.
Similarly, higher education institutions should also plan how to respond in the event of a security breach and consider the possibility of shutting down an entire network or system for a period of time, if needed. This potential plan will enable them to take the necessary measures to respond to an attack, identify the intrusion point, and reset and analyse the infrastructure, allowing the institution to get back up and running safely. It will also allow the time to change passwords, update credentials and restore data as necessary, as well as notify authorities of the breach in order to comply with data protection and security regulations.
Additional steps should include backing up data and keeping it offline at certain points on a regular basis, monitoring network traffic and managing access controls. With many thousands of staff and students to protect, active two-factor authentication should be considered to give every network user an extra element of security.
A wake-up call for the education sector
The education landscape has evolved dramatically over the last year due to increases in online learning and the use of online services, and with it, so has to online risk for attacks against this sector, so the need to tackle cybersecurity has never been greater. Therefore, with so much at risk and with 61% (nearly 4.8 million) of malware encounters reported in August targeted at the education sector, higher education institutions should consider the ways to protect and safeguard data and networks as a matter of urgency. By adopting a range of initiatives, including the implementation of appropriate solutions and strategies to securely process data, appointing a data protection officer, and working with technology partners, universities and colleges can drastically strengthen infrastructures and mitigate risks now and in the future.