Cyber Security Issues In Higher Education

When we talk about organizations with significant cyber security needs, governments, businesses and healthcare providers often dominate the conversation. However, we shouldn’t overlook cyber security issues in higher education. It’s a sector where not only is security a major topic, but that security is challenged by specific threats.

These issues largely fall into three categories: the appeal to attackers, technical challenges and the human element.

An Attractive Target

Drill down into ransomware statistics and you may be surprised to find that higher education is one of the biggest targets. It makes sense when you think about it. Universities are heavily tech-dependent in their daily operations. Their networks have a large number of users who’d be significantly affected by an extended outage or loss of data. They also have large budgets on paper, even if they don’t always have much spare cash in reality.

Higher education establishments also handle a wealth of personal data about staff and students, including highly sensitive material in some cases. This further appeals to cybercriminals, whether they want to get the data itself or simply use it as a bargaining chip.

There’s also scope for attacks backed by nation states. They want to get their hands on sensitive data from research departments at universities, many of which work on key infrastructure and scientific developments. Such attacks may not seek simply to uncover data but also to disrupt operations and set back research. In some cases, attackers may be aiming for knock-on disruption, for example to military or commercial operations that rely on higher education research.

Technology Issues

Unfortunately, higher education establishments almost inherently suffer from a range of technological limitations that make them more vulnerable to attacks. For example, many struggle to find the right balance between access and security. Students expect to be able to access systems using their own (potentially insecure) devices. Meanwhile, making internal networks available to other establishments is a key part of the knowledge sharing philosophy.

One of the more ironic problems is that universities were among the pioneers of technology, particularly networking and the Internet. That often means they are reliant on legacy software rather than having the more up-to-date tools used by later adopters. To make things worse, the desire for independence among individual departments can mean major inconsistencies between the applications used, the editions installed, and the level of patching.

One security issue that’s often undersung is the risk of SQL attacks through a university’s various websites. Many such sites involve online forms to submit everything from course applications to project work to requests for collaboration or media commentary. Without the right protection these are key entry points for would-be attackers.

Organizational Issues

Some of the most serious cyber security issues in higher education involve the organizations themselves, particularly the way that people work.

For example, every year thousands of students graduate. However, between post-graduate study, those who take jobs at the establishment, and alumni programs, universities often choose not to immediately cut their access to networks. Over the years, this can greatly increase the number of people with access. That not only brings capacity challenges on systems never designed for such a user base, but it means more exposure to phishing scams or malicious activity.

Unlike many organizations, the majority of users on a higher education network will be students (who are in some ways customers) rather than employees. That can make it more difficult to make sure users remain up to date with security threats, for example through training. A university may offer some form of cybersecurity education to students, but it’s much harder to mandate attendance or ensure understanding than it is when dealing with paid staff.

The educational calendar also plays a big role in the way university networks operate. It’s not just a case of term time vs vacation periods affecting network usage levels. The way people use networks (and how that affects security risks) varies significantly through the year, for example with peak periods for coursework submission or handling applications for the following year. Some establishments hire out venues and campus accommodation in the summer break for conferences, which can bring a new set of security threats with short-term network users.

Sadly, funding is also an issue. When hiring cybersecurity staff, universities are often in competition with businesses or government agencies who may have much bigger budgets or be able to offer more attractive perks and benefits on top of salaries. That’s particularly the case where management doesn’t see cybersecurity as a financial priority, for example if they underestimate the threat and the potential costs of successful attacks.

Recruiting Cyber Security Staff For Higher Education

Given all the issues we’ve outlined, it’s clear that higher education establishments can’t take an off-the-shelf approach to recruitment. A cybersecurity expert with an impressive resume and a list of qualifications may not be sufficient to meet the higher education sector’s specific needs. Instead, suitable candidates will need a range of specific skills including:

• The human skills to understand and work within an organization where the chain of command and relationship between departments isn’t always straightforward and smooth.
• The ability to prioritize immediate and long-term threats, particularly when resources are not unlimited.
• Experience dealing with the education sector and the different ways it experiences and handles variations in demand for computing resources.
• Developing engaging ways to increase cybersecurity awareness among teenagers and young adults, many of whom may be unwilling to be “lectured to” on tech topics by older generations.

The good news is that specialist recruitment agencies such as Intercast have the experience and talent pool to find the right people with the right skills. Contact Intercast today to discuss your staffing needs and how we can help.