Universities are fighting a cyber security war on multiple fronts

A cybersecurity expert examines an attack

This article originally appeared in issue 29 of IT Pro 20/20, available here. To sign up to receive each new issue in your inbox, click here

For years, a war has been quietly raging between cyber criminals and academic institutions, which are finding themselves increasingly under pressure. Despite the multifaceted cyber security fabric protecting universities, including anti-phishing measures and professionals with titles like threat hunter, the danger seems more prevalent than ever.

Cyber crime has long had a significant impact on the UK landscape, with the annual damage to Britain’s economy estimated to be £27 billion as far back as 2011, according to government figures. Ten years on, FE News put the average cost of a cyber attack on the educational sector at £620,000.

A swathe of attacks in recent years illustrate the growing threat. Just in the last year, we’ve seen the University of Sunderland, the University of Northampton and the University of Hertfordshire suffer devastating cyber attacks. In 2019, meanwhile, the National Cyber Security Centre (NCSC) warned universities were a prime target for nation-state attackers.

According to experts, academic institutions are battling a war on three fronts. These include a complicated and fluid technology environment, a variety of threats targeting both students and staff, and cyber warfare – the threat of hackers who aren’t just financially motivated but driven by the prospect of stealing research on behalf of nation states.

University cyber security is a different game entirely

Universities operate fundamentally differently from your typical business environment, according to Terry King, regional director for Guidepost Solutions, a company focused on risk mitigation. For him, the challenges begin with the variety of users.

“It is really an uncontrolled workforce to a certain extent – unlike a large corporation, which may have the same physical distribution; may have the same number of employees working for them,” King says. “Most of those are controlled; their phones are issued; their laptops are issued; the applications that are downloaded and applied are easily managed. It’s just the absolute opposite coming to university.”

King says many of the same threats being levied against businesses, like ransomware, are the same cyber criminals were using to hit academic institutions. Those concerns were only “highlighted” once COVID-19 began to impact university structures and procedures. Specifically, though, universities are often tasked with protecting against cyber attacks directly focused at accessing research data, as opposed to hackers who seek to receive financial compensation for less sensitive data.

Jake Sloan, a senior threat hunter for WMC Global, says much of the access obtained to university systems begins with a password leak of some kind. “[When] you're looking at that infrastructure, and that backend security of a research facility, for a threat actor to gain access to that they need to have some vulnerability,” he says. “And we all know the weakest form of security is the human.”

Indeed, one fifth of breaches begin with “compromised credentials”, according to IBM research from 2021. Sloane says those breaches often come from password reuse, a password being leaked, or a phishing attempt – including through sites targeting Office 365 users.

It isn’t just students at risk

While a lot of the focus on cyber security is levelled at students, many of whom are intersecting with large-scale academic environments for the first time, King says that each person on a campus has some form of responsibility when it comes to cyber security. “Everyone has a level of ownership of this from the top down, it needs to be one of the most important things a university looks at in terms of how it defines its overall threat and risk landscape.”

While the initial breach may be what Sloan calls “a popping” of a student account, hackers quickly start pivoting. So, instead of focusing on the student with limited access, they will use those credentials to then infiltrate the accounts of people higher up the chain, like a researcher or professor. Often, the aim is to gain access to research that can be then sold to nation states.

“It’s a lot quicker and cheaper to hack your way in and get to the necessary research than it is to spend years and years actually building that research facility.”


Securing endpoints amid new threats

Ensuring employees have the flexibility and security to work remotely


For King it’s not just an individual concern, but a message that must be spread from top to bottom in academic institutions. As he points out, just because a professor may be running a research programme that contains highly sensitive intellectual property – a prime target for hackers – it doesn’t mean they are aware of the possible threats.

“The university has the highest level of accountability and responsibility, and they then need to understand what the levels of threat risk and vulnerability are within their organisation,” King adds. “They need to ensure, then, that those individuals that are leading in that hierarchical chain are aware of those [procedures], that they're applying those, and they're accountable and responsible for those.”

Fixing wider structural issues

Within a university’s structure, Sloane says, a lot of the direction taken at any one organisation comes from the priorities of the chief information security officer (CISO). Still, the biggest limiting factor remains the scale that some university systems are operating on, even if they do deploy effective tools like two-factor authentication (2FA) for all users.

“I know some universities prioritise it very highly and are very motivated to protect their lecturers and students but when you have so many students it's very difficult. Imagine the size of a company that would be comparable to the size of a student base in a single country. It's very difficult to do.”

To protect a campus, Lance Wantenaar, a cyber security expert, believes that a lot of the focus has to be on a multi-tiered system of defence; one that treats students with a certain type of separation. For him, the systems may be similar to those in the corporate world, but it’s become a question of funding and priorities. “I think you've got to consider the student body almost as an external user base to give you that management and to restrict your access a bit more.”

For King, communication is one of the most important aspects of defending against a cyber attack in a university environment. He points to a cyber attack sustained by the University of Sunderland in 2021 as an example where the administration chose to share that they’d been placed under attack. This approach was opposite to what many companies and institutions choose to do in similar circumstances.

“Everybody's trying to attack each of these universities from a cyber perspective, so I think that information sharing and really building and utilising centralised resources to build awareness of what you're doing, what's been done and what you can do. That's really, really important.”

No matter the precautions, experts are clear: cyber criminals will keep attacking and IT professionals will continue being tasked with tackling the unique challenges of academic environments.

John Loeppky is a British-Canadian disabled freelance writer based in Regina, Saskatchewan. His work has appeared for the CBC, FiveThirtyEight, Defector, and a multitude of others. John most often writes about disability, sport, media, technology, and art. His goal in life is to have an entertaining obituary to read.