Don’t risk it: why universities need to manage IT security risks closely

Universities have embraced technology as teaching and learning tools, while students and staff alike typically rely on connected devices for far more than just studying. As university campuses serve as the hub of student life, providing reliable, fast internet access for students, staff and guests is simply expected.

This abundance of connectivity helps students and university employees feel more connected to the university and delivers better education outcomes, but it also comes with risks. Often, these risks are practically invisible because universities don’t have adequate visibility into what’s happening on their networks.

Universities face two key challenges when it comes to cybersecurity. On the one hand, the proliferation of connected devices – some of which are owned and managed by the university, while others are owned by individuals – creates a plethora of potential entry points for cybercriminals and other malicious actors. Securing these devices isn’t always high on the university IT team’s list of priorities, but it should be.

The second challenge is maintaining information security. Universities gather and store a lot of sensitive information about students and staff. This can range from credit card details, grades and address information, to photographs of the student and information about any health issues they may face, including mental health. The disclosure of this information to malicious actors can result in identity theft, financial losses and significant emotional or psychological harm.

For example, fraudsters could use a student’s information to apply for and receive government benefits. This type of identity crime is often only discovered when the victim tries to legitimately apply for these benefits only to find out that someone is receiving them in their name.

The effects of identity theft can be expensive and far-reaching, with many victims thinking they’ve finally cleared everything up, only to find yet another complication down the track.
Even just having their grades or health information exposed publicly could affect a student’s ability to gain employment and could lead to bullying and other negative outcomes.

Universities must comply with the government’s mandatory notifiable data breach scheme, which came into effect earlier this year. It requires organisations to report data breaches if they’re likely to result in serious harm, regardless of whether the information breach was deliberate and malicious, or merely an accident.

The best approach for universities, rather than report a data breach, is to minimise the risk of a breach happening at all. This can seem like an insurmountable challenge given the potentially large number of devices connecting to the university’s network. These devices can run on a variety of operating systems and with varying degrees of built-in security. When the devices are owned and managed by the university, it can be relatively easy to ensure they’re fully secured. However, when it comes to personal devices, it can be hard to maintain control. And each of these devices represents a potential entry point to the university network for hackers.

Hackers may attack the network to steal information, change information such as grades, sabotage classes, courses or the entire institution, or merely as an unsanctioned academic exercise. The potential rewards for a successful attack are significant, making universities very attractive targets.

It is essential that universities implement enterprise-grade security measures to protect themselves and their students and staff. An effective solution requires a combination of tools, resources, knowledge and culture. It’s not essential to fix every potential vulnerability at once, particularly if doing so would require an impossibly large budget. However, universities can start with the highest-priority vulnerabilities and develop a plan to close all the potential gaps over time.

To make the most of existing budgets and avoid wasting resources in areas that won’t deliver a strong return on investment, universities should work with a security partner that can conduct a comprehensive security assessment and help develop a strategic plan that takes the university to an acceptable risk level as soon as possible.

Universities can also take control of the culture element of security by building training and education into every IT-related interaction. Formal and informal security training can help university stakeholders realise that they can play a significant role in protecting themselves and the university. Basic efforts such as not clicking on links in unsolicited emails, patching and updating all devices promptly, and password-protecting mobile devices are easy and cheap to implement, and they go a long way towards keeping the university network secure.
Reminding people that security is everyone’s responsibility, plus gaining clear visibility into the entire network, are crucial to keep a university safe.

Hugo Hutchinson is Wavelink’s national business development manager for Fortinet.

Get the news delivered straight to your inbox

Receive the top stories in our weekly newsletter Sign up now