Curated content from Cisco and Optus
Nearly 80 per cent of university executives saw 2020 as the tipping point in terms of prioritisation of digital technologies. The rush to online delivery, work from home and increased digital enablement of research accelerated technology investment.
In some cases, this also revealed how previous lack of investment in technology exposed cracks in university infrastructure, systems and overall security posture. A number of universities were exposed to serious risks that had the potential to undermine their reputation with students, staff, industry and regulators. At – or near – the top of the “risk list” was cybersecurity which continues to keep vice chancellors, council members and CIOs awake at night.
An article published in early 2021 revealed that almost half of Australia’s top 20 universities appear to have no protection in place for hackers impersonating their domain to trick people into giving them sensitive information and taking over their computer systems. Only two universities were found to be proactively blocking fraudulent emails from reaching students, alumni and faculty staff, raising concerns that the rest of top Australian universities are leaving themselves open to attack.
The article reinforced that not enough had changed since 2019 when a comprehensive study of university cyber readiness revealed the cyber threat facing Australia’s education institutions. In the study, 62 per cent of universities ranked cybersecurity as one of the top priorities for their boards, councils and stakeholders.
Despite the priority and urgency placed on cybersecurity, only 23 per cent of education institutions were confident that their current approach to cybersecurity is fit for purpose and efficient. The vast majority of organisations suggested their approach to cyber needed improvement.
The education sector was ranked the worst out of 17 industries from a cybersecurity threat perspective. IT consultancy SecurityScorecard concluded that the education industry is not taking many of the necessary steps to protect students from cyber vulnerabilities. According to the study, the main areas of cybersecurity weaknesses in education are application security, endpoint security, patching cadence and network security.
This cyber security threat is only going to increase in terms of magnitude and impact. As mass-connectivity and sensor driven digital campuses become a reality – enabled by next-generation technologies such as 5G – university leaders will need to take secure a much larger surface area.
How to secure the university
There is no simple or single way to secure an organisation as complex as a university. Cybersecurity is an arms race with attackers continually improving their tactics and upping the ante on technology teams to mitigate risk. The most sophisticated universities:
- understand where the crown jewels are from a data perspective and allocate disproportionate resources to protecting them.For example, they establish accurate inventories of all personal data and address basic vulnerabilities such as overly generous database administration rights
- undertake sophisticated and regular testing. For example, they regularly conduct penetration tests, review and practice security response procedures and test restoration procedures
- train people (staff, contractors and third parties) and test systems for a breach. For example, they require employees and contractors to have formal training in data protection and privacy practices and implement internal phishing awareness campaigns to raise awareness and change behaviours.
- continually monitor and proactively seek out data on threats. For example, they have access to high-quality threat intelligence feeds and employ network segmentation to help reduce outbreak exposure, coupled with first-line-of-defence tools that can scale (like cloud security platforms).
A more challenging and resource-intensive imperative for institutions is to get the network infrastructure right. Increasingly this means a network that is software-defined and allows security threats to be tackled at the network level rather than simply relying on interception of email and other data via firewalls. Legacy applications and infrastructure are a major vulnerability and put the education sector at significant risk from a cybersecurity threat perspective. In fact, 61 per cent of organisations view their legacy applications as the primary vulnerability, while legacy infrastructure also presents major risks, followed by a lack of skills.
Universities can address these risks by:
- treating cybersecurity as active combat, not a checkbox exercise: Cybersecurity is an arms race with antagonists that are sophisticated and well-resourced. Checkbox approaches to security aren’t likely to be successful because the threats keep changing. Digital extortion is not only on the rise, but the extortionists are also becoming more convincing.
- creating visibility of the end-to-end information technology environment: While it’s not always possible or desirable to centralise all technology, organisations do need to maintain consistent security controls, and achieve visibility across the network, cloud and endpoints by adopting an integrated architectural approach to security. Optus’ Liquid Infrastructure, for example, is a Software Defined Network (SDN) automation platform that enables institutions to visualise their network services on demand – providing significant insight into how the network is operating and making it easier to configure changes including the security postures.
- choosing the right partners: Given the combative nature of cybersecurity organisations need partners and a high level of trust, particularly at an infrastructure level. Cisco and Optus have a track record of working with organisations to secure their technology environment. The University of Western Australia is an example of an institution that has had to quickly mitigate cybersecurity risks, via a partnership with Cisco and Optus. The relationship with UWA is broader than supply of technology, recognising that in times of uncertainty and change institutions need partners, not just suppliers. For additional details, please read the UWA case study found here.
- re-prioritise investment towards cybersecurity: the list of cybersecurity measures which are expected to get increased funding is extensive (see below). Given that university budgets are under pressure from declining international enrolments resources will need to be re-allocated.
To access the full study on the digitisation of Education Campuses you can download the report from either of the below sources:
 Vector Consulting. ‘Securing Australia’s education institutions: How universities, TAFEs and school systems and responding to the escalating cyber security threat’. July 2019.