(Cyber)security is everyone's business
It hardly seems necessary to mention the risks we run when using digital devices, but it never hurts to add more detail. Having permanent access to the information, knowledge and people we need in our daily lives comes at a cost.
As economists say – there is no such thing as a free lunch. In this case, we are paying for it with the risks we are taking, and the IT security commitments our organisations are having to make. This article looks at one of the types of organisation most affected by risk in the use of digital devices and media: universities.
In many countries, national security centres are warning that universities are among the sectors most vulnerable to cyberattacks. Why? To try to provide an answer, let's examine four questions: (1) Why universities? (2) What are the risks? (3) How can universities be harmed? (4) How can universities protect themselves?
The vulnerability of universities to cyberattacks
Let's start by thinking about why universities are a target. Universities are information-intensive organisations – they generate data, information and knowledge. And they do this by working with people. They also conduct high volumes of financial transactions via the internet. In addition, they have high-performance computing infrastructures not only to teach the coming new (quantum) computer age, but also to conduct experiments within the framework of projects. Knowledge assets and IT capabilities are two of the key targets for criminals; this is why universities have been identified as vulnerable.
So, what risks do universities face? In the case of digital knowledge assets, the most common method is to encrypt them in order to demand a ransom to recover them (known as ransomware). In some cases, this data is published on the dark web, where it can be used for criminal activities. Ransomware attacks have grown significantly as a threat. It is estimated that 70% to 80% of organisations have suffered some kind of harm from ransomware attacks. These digital hijackings present a twofold problem. In the context of, for example, the Spanish university system, with a significant proportion of students in public universities, responses to cyberattacks are a matter of public policy. Giving in to kidnapping and blackmail is not an acceptable position for public authorities. In the private sector, this is different: it is estimated that the cost of recovering from a ransomware attack is usually equal to the ransom payment. In other words: if assets worth €200,000 are seized from you, it ends up costing you the €200,000 of the ransom + €200,000 to return to normal. These costs result from downtime, the cost of repair and the opportunity cost of what you have not been able to do. In addition, attackers also frequently hijack processing capacity at universities. Recent attacks in university contexts have been used for crypto currency mining – a quick and easy way to earn money. Albeit illegally!
In this regard, teleworking adds an additional layer of complexity. A significant development from 2020 was the rapid rise in working from home. The term “perimeter security” refers to that space or bubble we need around us to use a computer or mobile phone safely. When we all stayed home and worked, much of that perimeter underwent a process of change. And while organisations stepped-up their cybersecurity efforts, the dispersed office context required an IT architecture that was not always compatible with the generation of secure spaces. The risks proliferated.
Types of cybersecurity risks and attacks faced by universities
How do attackers access university systems? It is estimated that in the first half of 2020, during the first few months of the pandemic, phishing attacks – gaining another person's trust by impersonating someone else – doubled. The most commonly used method of attack was sending an email, impersonating someone's identity – with another email just changing one letter, for example – and adding an attachment which, when opened, installed malicious software on that computer (malware). With remote working, we relied to a greater extent on emailing and the written word as the primary means of communication. So sneaking something through in this way became easier. The problems can be greater if the person in question, working from their sofa in pyjamas, uses a device that is also being used to access their social media profiles, shop online or hold video conferences. It seems likely that when we consolidate statistics on cybercrime in the post-pandemic era, we will surely discover that identity breaches in these spaces have multiplied. And that is why we should check regularly if we have been victims of any identity breach. Furthermore, access can occur through information systems that interact directly with the data (SQL attacks) or by simulating a password (Always ask yourself if your password is secure). Whatever the case, it is best to be cautious as individuals. And organisations need to be even more cautious. This is where multi-factor authentication (MFA) systems are gaining traction. A Times Higher Education study showed how 87% of universities are implementing MFA for staff (up 15% from 2020) and 49% have it for some or all students (up 27% from 2020).
Enhancing cybersecurity: strategies for universities and the importance of awareness
In addition to acting with caution, and enhancing digital education (which basically refers to understanding what we are using and how we are using it), the main thing that helps protect us is awareness. The university community should be concerned about all of this. The potential losses are not only financial (theft of industrial property, competitive advantages, etc.), but also reputational. The digital economy is based on trust; think of how many friends you have who don't shop online for fear of entering personal data. Reputation and the generation of a framework of trust when interacting with internet services is key to gaining digital competitiveness and taking advantage of all its benefits.
Having unique digital assets makes universities more valuable. But to this we must add two other factors: investment in cybersecurity is still low compared to other sectors; and society in general (not just university staff) is still unaware of the risks we run when browsing or using a computer. Cyberattacks are on the rise worldwide, and companies and universities are suffering multimillion dollar losses. Stay safe!