Cyberattacks are a part of the everyday life of the sector.
There’s been countless examples of universities brought to a standstill by opportunistic attacks in recent years – and not all of them have hit the headlines.
The way universities work – the flow of information and ideas, the growth of mobile working, the wide variety of people that have legitimate access to provider systems, and the normalisation of a huge range of devices accessing networks, means that a heightened risk is baked into the sector’s very ethos. As repositories of valuable intellectual property, heavily networked with industry, and replete with all kinds of personal information makes universities tempting targets for the most sophisticated threats. Attackers have focused their efforts on universities that research defence technologies and innovation around new fuels and battery technology.
The huge scale of cybercrime globally goes far beyond the popular image of opportunistic amateur hackers showing off their skills – attacks are more likely to come from nation states, international organised crime networks, and “hacktivist” or cyber-terrorist groups. This presents a real challenge to establishments that are trying to carefully balance information sharing and openness versus the challenges of security, which by virtue tends towards limiting access.
The spectre of data and systems being lost or compromised therefore features in the risk management planning of every higher education provider. Prevention is an important mitigation (the work of Jisc’s CSIRT team is a valuable resource here) – but what if your provider becomes a victim of cybercrime?
Who do you call?
Chances are that you will have an incident response team on a retainer, or available via your insurer – I spoke to Dave Harvey, who is the Director of the Cyber Response Team at KPMG in the UK. His team will take 5-10 calls a week from clients, such as universities, dealing with attacks ranging from the merely annoying to the existential. It’s part of one of the largest cybersecurity practices in the world.
Higher education is a big target for cybercrime, second only to national infrastructure in terms of the amount of activity. This can represent anything from copying and hiding data through to ransomware and widespread operational disruption
The modalities of attacks change – whereas ransomware (where your data or systems are “locked” and require a payment to unencrypt) was dominant among financially motivated attacks in the early part of the last decade, you are now more likely to see data extortion. This means that sensitive or personal data is copied, and threats of sharing or releasing the data are used to force payment.
The MoveIt attacks in early 2023 are a classic example of how threat actors have evolved and have focused efforts on third party providers. Another example of how ruthless these criminals are involved another educational establishment where a copy of the passport of a relative of the chief executive and anonymous calls to the partners of board members were used to exert personal pressure. Data security here becomes a human problem.
Rehearsal
The risks are enormous, which is why rehearsal exercises involving senior teams and domain specialists (in finance, HR, data, and legal) are commonplace on campus. Simulating realistic scenarios helps identify and rectify any potential weaknesses in response plans. The days of assuming cybercrime is something your IT department deals with have long since passed. Indeed, in England, a cyberattack may be an Office for Students Reportable Event:
When you report on a cyberattack to regulators it is vitally important that you report on the facts of the case, not on your concerns or worries. However, getting to the facts can be complicated.
When Dave and his team work with a university, they stay with them as long as is needed. Initially working to contain and eradicate the threat, they are then able to recover the data and critical systems, before making any necessary remediations and hardening security against future attacks. The KPMG team also supports independent route cause analysis and post incident analysis which can help identify why the incident happened and ensure that adequate measures can be put in place to avoid reoccurrence. This is a focus area for many regulators, so not something to be underestimated.
The future
However, despite efforts to harden systems and strengthen protocols, universities need to be prepared for when a cyber incident happens. Cyber incidents are inherently complex and therefore, practising and rehearsing is key. There are some measures that can be taken to reduce risk – and these centre on what often presents as a lack of understanding about what the university is and what it does. As Dave explained:
To start being safer, you start by knowing yourself. What assets – personal data, for example – do you have? Where is it? Who has access to it? These are matters of basic cyber-hygiene
Once you understand yourself, it’s then important to understand the threat to you. For example, physical security – who can walk into an office and access university systems? – is as important as knowing what systems you are actually using and how vulnerable these are. You should routinely be updating and patching core systems to keep them ahead of known risks, but this needs to be understood at a governance and procurement level (are you using the kind of software that can be hardened in this way?) rather than leaving it to the IT team to run updates.
Or as Dave would say: “Cybersecurity is an enterprise risk. And it is everyone’s job.”
This article is published in association with KPMG.
I am sure KPMG do a great job, but the first people universities should call if they have suffered any sort of cyber incident is Jisc’s CSIRT, (Cyber Security Incident response Team). CSIRT is included in the membership fee, and is NCSC CIR L2 accredited (Cyber Incident Response level 2 ). Jisc is in a unique position in relation to the Janet network, which means we can take measures across the network that no other organisation can.