We hardly need reminding that the Covid19 pandemic and its far-reaching consequences has changed higher education, possibly forever. The all-encompassing, intense experience of University has been changed to a more remote-focused one, with lectures, seminars and even the flurry of socialising we expect from a University experience moving online. These cultural changes are just one facet of the changes underway at Universities: There is also a need for an renewed conversation about security in the new distributed educational environment.
Universities and security posture
Like many cash-strapped, bureaucratic, and often internationally minded institutions, the world of academia is not famed for its security competency. Whether this is due to the security failing of a third party, such as we have seen via the Blackbaud breach, which devastated upwards of 100 higher education institutions due to a vulnerability in their cloud platform.
Security must be of paramount importance to those arranging higher education studies, particularly in the remote or distributed world we are now all existing in. The use of tools such as Zoom - who have just announced a move towards two-factor authentication - need to be done in a way where the access to documentation, lectures and other education materials are protected on the basis of a secure digital identity. Failure to do so could lead to the educational integrity of institutions to be questioned and could also lead to damaging fines being levied on already financially precarious Universities by governing bodies such as the EU, via GDPR. In the instance that something similar to the Zoom breach which happened earlier in the year and which led to 500,000 Zoom passwords for sale on the dark web, Universities should be prepared to ensure they are GDPR compliant and have taken the necessary steps to protect their online resources.
The University as a target
Even more disturbingly, a security compromise or breach could also leave potentially unpublished academic work at risk, stopping important research and developments from being published. This is already a well-established method of attack for cybercriminals, who in 2019 targeted Universities in the United States in order to steal maritime and military secrets, according to the Wall Street Journal. Even more recently, hackers working on behalf of the Iranian, Russian and Chinese states were reported to have targeted scientific facilities at UK universities, in order to gain access to ground-breaking – and financially lucrative – Coronavirus research.
From a revenue-generating perspective there is also an incentive for remote learning to work: As international students are the highest fee-paying students at Universities, the inclusion of them in the course to a high standard is crucial for universities maintaining their yearly income, which in turn funds facilities that can help to draw further students in years to come.
What is to be done?
That cybercriminals have begun to prey on individuals as more of us are working outside protected environments without appropriate security is not up for debate, and has been documented thoroughly by a plethora of research throughout the past 6 months. Where the corporate office once had the benefit of enterprise-level firewalls, a centralized network and onsite IT professionals ready and available to help with any issues which may arise, the remote network – often designed hurriedly in order to keep operational function running smooth, and without much consideration for security. The distributed environments where work has moved to in 2020 are plagued by insecure networks, devices and passwords, as well as a generally lax attitude to cybersecurity: A recent OneLogin global survey on remote working found for example that 50% of respondents had not changed their home WI-FI password in the last two years, compared with 36% overall. 25% of all of those surveyed never changed their password. This becomes even more complex an issue when considering undergraduates, away from home for the first time, thrown into the strangest University introduction scenario in living memory and unlikely to be considering security as a priority.
Security and Risk teams at institutions of higher education should be supporting the organisational and IT functions to make informed risk-based decisions on how employees, students and contractors can work and study from home securely applying Multi-Factor Authentication (MFA). This reduces the risk of attack by increasing the complexity of the exploit for the malicious attacker, as they must gain access to multiple authentication factors such as password, token and/or certificates and generally speaking, they have a short period of time to do this prior to the authentication attempt expiring.
In addition to this, a robust security training programme, for students staff and third-party contractors alike will help to make individuals more conscious of what security should be viewed as: An existential threat to an educational institution’s ability to deliver the education which students have paid for.
Author: Simon Whitburn, VP of EMEA at OneLogin