Data management as a defense.
The education sector is no stranger to cyber-attacks as we’ve seen most recently with the NSW Education Department attack where systems were momentarily shutdown. Additionally, RMIT suffered an outage earlier this year from a suspected phishing attack in an attempt to steal sensitive data. With 1.5 million students enrolled in universities across Australia and 130,000 full time staff, it is nothing but a gold-mine for cybercriminals.
Lockdown has continuously pushed people to work or study remotely. As more people spend time online, cyber security becomes a greater challenge by making it difficult to monitor user behaviour. According to the Australian Cyber Security Centre, Australia experienced a 60% increase in ransomware attacks the past year.
Education departments are loaded with confidential data: this includes credit card details, medical information, financial documents and academic records. Pair this with an increasingly open learning environment, it’s no surprise cyber-attacks on Australian universities have soared significantly these past 15 months.
Managing identities to mitigate security risks
Being an institution that holds high volumes of sensitive information, it can be near impossible to analyse and keep track of this huge amount of data. To sift through this data and figure out what’s good and bad can be an inefficient and laborious task which is why investing in Artificial Intelligence (AI) is a great first step for an organisation to manage identities.
Risk-adaptive authentication can be a first line of defense, preventing hackers from entering the system. It will constantly monitor and analyse a user’s normal pattern of behaviour over time and any abnormal login attempts will require additional authentication. For example, unusual locations and time of day would be considered high risk, prompting an extra requirement for authentication.
In the case that a hacker does get into the system, User and Entity Behavioural Analytic systems (UEBA) utilise AI to gauge what is normal and abnormal user conduct. The UEBA system can catch threats in real time by picking up any abnormal behaviour - such as logging onto unusual applications or downloading significant chunks of data, then flag the behaviour and automatically revoke access.
It starts with better passwords
One of Australia’s leading tertiary education providers, Deakin University discovered staff were not using secure methods to store and share sensitive data, including personally identifiable information, by storing them in spreadsheets saved on shared drives – this open resource can make it easy for hackers to gain access and steal credentials. LogMeIn worked with them to deploy a password management solution which gave Deakin University an overview of the types of passwords used by its 60,000 students taught annually, and its staff.
Our latest Psychology of Passwords report revealed that 41% of people think that their accounts aren’t valuable enough to be worth a hacker’s time, and therefore, may fall into the trap of bad password habits such as using the same or a variation of the same password – 91% know this is a risk but 66% do it anyway. Every little bit counts – if a hacker gets access to one piece of information, it’s a mere breadcrumb that can get them access to something more valuable such as your personally identifiable information.
More than just the technology
Strengthening a university’s cybersecurity strategy is not just about building up technological infrastructure: enforcing better user habits through educating staff, students, and alumni in best practices to improve cyber hygiene is just as important. It’s also important to consider that universities include a broad spectrum of users and employees with various levels of digital literacy: technical, non-technical, staff, students, and alumni.
Technology in place can be made redundant if a user is fooled by a malicious link in an email or clicks on an infected site unknowingly. The latest report from the Office of the Australian Information Commissioner (OAIC) states that 38% of data breaches were due to human error. Additionally, education was listed as the third highest industry reporting the most data breaches. As phishing and ransomware attacks are becoming increasingly sophisticated and harder to detect, individuals need to be equipped with the appropriate knowledge on what to look out for and how to report suspicious activity if stumbled upon.
Universities have a responsibility to ensure that the technical parameters in which its staff and students operate in are a secure and protected environment. However, cyber awareness is something that should be increased across the organisation, no matter the role or individual responsibilities of the person. Cybersecurity is everyone’s business and a constantly evolving issue so it’s important that cyber hygiene is upkept to avoid a crippling cyber attack.