Cyber Security: Higher Education’s Highest Risk

For the third year running, cyber security has topped the risk registers of higher education institutions, before financial sustainability, student experience or infrastructure.

Digital transformation increases cyber security risk

This is not surprising, considering more than 90% of UK organizations say they have experienced greater exposure to cyber risk due to increased digitization in the last 2-3 years. And higher education institutions have had to digitize like no one else. The pandemic pushed universities and colleges around the world to “get online and keep the lights on” almost overnight. Some of the IT systems set up during the COVID rush are still running, with many colleges and universities still playing catchup in creating a better online experience.

As a result, (and also due to increased cyber warfare) the number of cyber-attacks (ransomware and data breaches) between 2021-22 and 2022-23 has significantly increased (by 258%). The UK has reported suspiciously low numbers of attacks over this period, when in fact a Times Higher Education survey reports cyber-attacks on UK universities occur weekly. Are higher education institutions coping silently with ransomware attacks to avoid reputational damage and further vulnerability to more attacks?

Why is cyber security so high on the risk agenda?

Cyber-attacks cost money, trust, reputation and cause liability.

In the current climate of political and funding pressures, culture wars and partisanship, colleges and universities can be targeted by malicious attacks from multiple sources: current or former students, political groups, foreign state interference, and so many others.

Whilst most cyber-attacks are caused by financial gain, not all cyber crime is made equal. Higher education institutions hold unique intellectual property, confidential research and commercialization agreements that give them and their people a unique competitive advantage.

Think of the COVID vaccines, new discoveries in technology, neuroscience, medicine and so many other fields – many of them have been conceived in college and university labs. A cyber-attack can steal, leak, block access or entirely remove this hard work, now that everything is stored online.

Because institutions are becoming faster and more adept at identifying and stopping these attacks, intruders act fast, and end up sweeping entire servers and databases to gain access to as much information as possible. This can include staff and student identity data and documents, medical records, payroll or academic records, in addition to research and other intellectual property.

What implications do cyber-attacks have on higher education institutions?

The impact of cyber crime depends on the culprit, but institutions are right in assuming worst case scenarios in each instance.

In what was dubbed at the time as “the biggest hack in Australian history”, the attack on one of Australia’s largest telco caused chaos. It led to sensitive information being shared on the black market and millions of people having to replace their credit cards, passports and driving licenses.

Identity theft, private and confidential information disclosure, the ability to continue studying or working are just some of the side effects for students and staff. If their work or academic records have been erased with no back-up, this can cause immense stress and disruption.

How much do cyber-attacks cost universities and colleges?

According to a report from IBM, the average data breach in the higher education and training sector cost $3.7 million in 2023, whilst another states the education sector lost $53 billion over 5 years (2018 to 2023) worldwide in downtime alone. Lawsuits often follow large data breaches and can hike their costs significantly. The University of California was subject to several class action lawsuits, and ended up paying out over $7.5m to victims, after paying $1.14 million to hackers as ransom.

The reputational risks and the loss of institutional trust are much harder to quantify, and for smaller institutions with limited financial resources, this could be the nail in the coffin, as was the case for Lincoln College in Illinois.

Education is the first line of defense against cyber threats

“As cybersecurity attacks become more sophisticated, user education must try to keep pace. Removing the stigma or embarrassment from reporting a phishing attack to your IT or cybersecurity department is crucial to gaining trust with your user community.” States Joe Potchanant, director of the cybersecurity and privacy program at EDUCAUSE, in an interview with EdTech Magazine.

Clear and regular communications about the many ways students and staff could be targeted and a clear and easy to activate protocol in case of suspected phishing or malware attacks are vital.

More strategic investment in IT departments

If cyber security is the top risk for higher education, then IT departments, IT infrastructure resilience and their funding should also be high on the priority list. Except, it’s not quite the case: IT share of budget is around 4% on average.

IT departments are the engine room of universities and colleges, but they haven’t quite gained the recognition they deserve. The talent gap determined by the inability of the sector to compete with commercial institutions on compensation and flexibility, among other things, is adding pressure on existing employees.

Use technology to work smarter not harder

IT departments have many plates to spin, but their main priority is to keep students online, to deliver their core functions: access to the knowledge and the tools to deliver courses on campus. Many institutions have extended this access to student devices, through app visualization or virtual desktop infrastructure (VDI). And the more complex the IT infrastructure, the harder it can be to maintain. And the more exposed it is to vulnerabilities and threats.

When Middlesex University adopted the AppsAnywhere technology in 2019, they were delivering around 100 applications to over 4000 computers across campus. Most apps were installed manually on each machine, which caused several issues, including low device performance and a never-ending catchup game on software security compliance.

Now in its fifth year using AppsAnywhere software delivery, the team have doubled the number of applications and significantly increased the number of devices they are being delivered to, through a robust BYOD (bring your own device) strategy.

Whilst this could have exposed the infrastructure to cyber-attacks, it actually allowed them a better control over how applications are accessed by students and staff. It enabled more regular updates of security patches and maintaining a lean management of active users with minimum down time.

“Every summer we would spend weeks reimaging and updating every device on campus. Now with AppsAnywhere it takes literally minutes. This has freed our team to do much more exciting work and we invest our time in improving processes and strengthening on cyber security” stated Roger Fox, Operations Group Manager, Computing Communications Systems Service (CCSS) at Middlesex University.

Mitigating risk is not the same as risk-averse

Cyber security has long been considered the problem of IT leaders, but when it reaches the top of institutions’ risk register, it becomes the priority of Presidents and Board members. Leaders need to get granular in their understanding of how cyber security affects their institutions at strategic level and make bold decisions to invest in innovations that will protect institutions and their students.

‍