Higher Education - do we care too much about our security?

In the last 18 months cyber-attacks on Higher Education have risen by 75% according to National Cyber Security Centre. The temptation is to retrench – to focus on security, and protecting your assets though ever-increasing levels of technical complexity and unworkable policies. But this would be a mistake – instead we need to understand why we are more vulnerable than other sectors, and more attractive to threat actors, ask what we can do about it, and then (and perhaps most controversially) ask if we really care?

History proves that cyber attack is not a challenge we can spend our way out of, but the old trope, “it’s not if but when”, doesn’t have to be true if we spend some time understanding what it is about us that hackers find attractive – what do they think we have? It may be surprising just how ill-informed many threat actors are about the type and value of the data we hold.

Let’s start with why is Higher Education so much more prone to cyber-attacks and breaches than the majority of other industries (Only financial services suffered more in 2023 at 79%). The truth is that the factors that make higher education institutions vulnerable are the very factors that make it a success – or at risk of sounding like a Marvel script, your greatest strength is your greatest weakness. 

A large canvas

At their best, academic institutions are a seemingly endless expanse of interactions – collaborations with other institutions, with the private sector, with external students, with external NGO’s, with financial services, with Government (local and central), with accrediting organisations, with trade bodies. The list is long and the risk is real.  The wider your canvas, the greater the attack surface area of your exposure to cyber breaches.  Reduce your canvas and you reduce your risk. But reduce your canvas and you reduce your ability to offer an excellent education and/or offer an attractive proposition for innovation and research. You reduce your points of contact with the ecosystem that fuels your thinking and ability to invent, create and collaborate.

Residential academic institutions are often targeted by cyber criminals entirely speculatively, and for good reason. If you’re looking for a target likely to yield something with value on the open market, choosing a campus which consists of homes, shops, bars, recreational venues, business parks, research centres, banks, an ISP and, oh yes, learning facilities all in one compressed area then your choices are limited. Don’t forget those tasty-looking class A IP addresses which are on clean lists all over the world too – plenty of fun to be had there.

Also, academia tends to be a more trusting, empowering environment, which, culturally, is something that all private and public sector organisations aspire to but, from a cyber security perspective, it can be disastrous.

Each point of interaction offers a potential point of weakness – partly because however careful the HE institution is, they can’t be as confident of the third party. Each domain, each share point, even each file sent between academics, is a risk – a small puncture in the canvas, and while it is possible to mitigate the impact, eliminating them is almost impossible.

Pioneering emerging tech

It is easy to forget the role that Higher Education plays in pioneering emerging technology. A common misconception is that HE is cautious – but in fact the culture of innovation, experimentation and collaboration means that they are often far closer to the cutting edge of emerging technology than a lot of the private sector.  Gamification, cloud-based platforms, AR/VR, Generative AI, hybrid and adaptive learning, micro- learning – all of these trends are transforming the way we education, and the way that education is provided. 

The downside is that these technologies open up even further opportunities for vulnerability – the bandwidth requirements, complex identification issues, multiplication of data and data silos, distributed security – all of these pose a new threat and need to be both independently and collectively thought about.

The value of the prize

HE is a great prize for cyber-criminal. The pickings are rich in terms not only of valuable personal information about students and academics, but also commercially (and politically) sensitive information and research that has significant value. This value is both financial and reputational – and cyber-crime has the potential to damage your commercial proposition and the trust that your partners and students place in you. 

Put simply, if you gain a reputation for not protecting your data, you find it harder to attract grants, harder to attract to students, harder to secure the best commercial partners.

So, the question that is often asked is what can be done to fortify these institutions against the cyber threat?

Rather than focus on software or even (ironically) technology – focusing on behaviour and culture is often more effective than any patch.   The majority of breaches start with a slip within the system – they are human-centric not machine-centric. It is as simple as the password on the post-it note, the unsecured WIFI in the cafe, the laptop left on the train, the phishing email.  Creating a culture where the cost and implications of a cyber breach are widely understood and recognised, coupled with accountability for the role everyone plays in maintaining security that starts at the top, is key. Each user or employee has a role to play – as much as anyone in the IT resource centre.  Hyper-vigilance and familiarity with all aspects of cyber security (multi-level authentication, password management, VPN, identifying malware or phishing) should be a must across the organisation. Coupled with investing in making sure that everyone is confident in using security software – understanding alerts, updating software, responding to notifications about malware or breaches – these empower your whole organisation to be part of the solution. A cyber secure brick in the wall against attack.

But perhaps we are asking the wrong question.

There is a universal true-ism about cyber security – “Everyone gets breached”. And that’s true. But perhaps rather than accepting that, and investing more and more in trying to beat the trend – we should be challenging the statement. “Everyone gets breached; but do we care?” Or, more accurately, do we always care?

Of course, we care, but the risk of caring is that we become protectionist. We restrict our systems, we reduce our points of collaboration, we make it hard to work with others. We lock down our systems at the first sign of a breach and loses months of work and/or advantage.  Lockdowns are often more damaging that a loss of data – if no other reason than they force users to bypass systems to get things done, thereby opening up more fronts for attack.

So perhaps it would be more effective if we focused on what we HAD to protect, rather than protecting everything.  Identifying what is most important, most valuable, and then getting comfortable with a higher level of risk around the things that aren’t as important or valuable.  It is a balance between a culture of collaboration and innovation that requires an element of risk, and a culture of security that protects the crown jewels.

If we spread our limited cyber security resources across our entire IT estate and try to protect all of our data, we will fail. If we identify that which we absolutely cannot afford to lose to the world or be denied access to, then we can do two things. Firstly, we can focus our money and attention on putting the best possible security in place for that greatly reduced attack surface and, secondly, we can work on reengineering our systems and data so that there is no longer one thing, one database, one source code repository, one cloud environment that could bring us down. We can start securing ourselves by changing the way we manage our systems and our data – by managing the value we present to the threat actors and making the risk/rewards calculations they make themselves just not stack up.

No academic institution is an island – nor do they want to be.  This move towards selective protectionism will be most effective if it happens across the board, and not in silos. Agreeing what is highly sensitive data, and then adopting a universal ring of steel around it, allows HE as a whole to continue to allow other information to flow more freely.  Deciding what falls inside or outside that ring has to be done by asking whether the benefits outweigh the risk and instead of an all-or-nothing approach, putting more-nuanced solutions in place.

The temptation to rush to pull up the draw bridge around your data is an understandable one (it’s a human instinct to protect what we have after all) But by doing so we risk suffocating the thing that makes the sector great – the ability to learn without boundaries or barriers, and therefore foster a culture of collaboration, competition and critical thinking that is a friction free as possible.