The Challenge of Cybersecurity in the University was the title of the 44th Conference of ICT leaders in universities that are part of the CRUE group in Spain. To discuss the main conclusions from this meeting of cybersecurity experts, university managers, and their technical teams, we organised a roundtable discussion between Juan Camarillo (University of Seville), Joaquín Canca (University of Malaga) and Andrés Prado (University of Castilla la Mancha).
From the perspective of their experience in technical roles at their respective universities, they gave us an informative overview on the current cyber risks facing universities.
One of the issues on which all three were in complete agreement is that keeping the university secure comes at a cost. Using metaphors such as seatbelts or COVID-19 protection measures, they pointed out how collective responsibility begins with individual responsibility. As such, they invited all university communities to take an interest in the measures that needed to be implemented to do their bit for collective security. This is especially true in the current context in which, everyone agreed, attacks are increasing at an unprecedented speed.
When asked about the threats that universities face, we were told that in the coming months we can expect to continue to see phishing attacks (identity theft); failures in firewalls (protection and defence mechanisms that organisations use) and VPNs without two-factor authentication (that mechanism of double authentication in virtual private networks that can be so annoying, especially if we work from home). They urged everyone to increase their awareness of these issues, stressing that they should be part of our daily vocabulary, just like the terms "mask", "social distancing" or "airborne contagion".
Because of the nature of the position they have in society, universities are open to the public. Information leaks, because of the unique knowledge assets we have, are a significant vulnerability. There is a major industry in the sale of personal passwords on the internet. In light of this, the speakers invited us to reflect on the need to update our passwords frequently, and also to consider changing our passwords regularl.
Drawing on their experiences with university IT, they discussed the timeline of an attack and its recovery. After all, it is one thing to prevent an attack, and another thing to be in a position to recover.
Attacks are slow processes, which only become apparent once they have sufficiently penetrated the perimeter. Usually what the attacker is looking for is to install malware: software with malicious intent, which, once inside our technological infrastructures, spreads to encrypt files or to obtain information that should not be let out of our environment.
And what is the next step? If there is any indication that such an attack has taken place, a forensic analysis must be carried out. Yes, just like in the movies. The best recovery strategy begins with transparency and communication, and, above all – resilience. It is not an instantaneous or rapid matter to recover a university environment. Experts spoke of having to manage up to 3 or 5 attacks per month. And recovery times could range from days to weeks. In short, the attack is slow, but so is the recovery.
In terms of impact levels, our guests talked about being on the receiving end of a large number of attacks. The vast majority are of virtually negligible impact, so they do not even make the news. However, the point is that they were a warning that we should not only talk about large-scale impacts, but also about those that, however small they may be, give us a harbinger of what may come. That is why it is so important not to let our guard down, to think carefully about how to make our university accessible from remote locations, and above all to train and raise awareness among our users from the ground up.
Against this backdrop, they talked about attack routes. Those devices, especially mobile phones, that we so happily use every day and form part of our personal space of relationship with the outside world are often vulnerable.
There is no such thing as 100% security. It's all about playing the odds. There are vulnerability scenarios that are more or less likely to occur. The National Security Schemes (NSS) are beginning to develop a series of security regulations that need to percolate through our organisations at the strategy or governance level of the university. Security is everyone's business, and as such it should be at the highest level of decision-making and management. The roundtable also looked at how to collaborate with the National Cryptologic Centre (CCN), part of the Ministry of Defence's National Intelligence Centre, the Department of National Security and the National Cybersecurity Institute.
The roundtable concluded by noting that universities must be committed to cybersecurity and train the entire university community, creating a culture of security. They also agreed that the greater use of the cloud in university settings also needs to be carefully designed to be secure and reliable.