Security breaches at universities can have significant consequences with reputational damage from bad publicity and the possibility of personal or embarrassing information being made public. Just consider the fallout if a university known for its IT curriculum falls victim to a cyber-attack or the latest medical research finds its way to the dark web.
Universities are rich targets for cyber criminals. Students provide significant amounts of personal and financial information. Larger organisations, often in partnership with private enterprises, engage in proprietary academic research that would be of interest to competitors or even foreign governments.
Universities, like most companies, rely on their internal computer networks for effective operations. But differing types and lengths of tenure and multiple access points both internally and externally with students, academics, alumni, visiting personnel, postgraduates makes this a complex operation. Then there is the growing popularity of mobile, cloud and offsite networks which just adds to the complexity.
Keeping track of all these different uses and users opens up a significant cyber security challenge with the risk of identity theft high on the agenda of hackers.
Often the way in to these systems is as simple as a username and password and this ease of access is the door opener for the hacker. They may have gained the credentials through a phishing scam, a convincing email that gathers the information by clicking on a link or through ‘phone a friend’. In this scenario, new credentials are created when a staff member who has an ally in the IT team gains a log-in for a new staff member and determines over the phone their level of access. With no accountability and no records this is an enticing situation for fraud to occur.
So what is the best practice?
A robust identity management system (IAM) is vital in the prevention of cyber-crime. ‘Common sense’ in the use of security systems is not good enough is this fluid environment.
A good beginning is found in these six steps.
- Determine a single authoritative source to be the system of record. Perhaps aligned to human resources or the student database.
- Determine the common standard for all user identities e.g. user ID, first name, last name, year of enrolment. Keep these standard across all users.
- Create one database that is the single source of reference for all users regardless of their status.
- Determine the most sensitive information that falls under regulatory mandates e.g. financial information.
- Determine the level of access for each person. Identify the high risk users who have privileged access on a restricted access. Monitor these users and work on the concept that users should have the least privilege rather than open access.
- Implement a governance system and automate processes wherever possible. Use a unique identifier like a pin to set up their account verified by another form of identity.
A sturdy IAM system is an important step in preventing cyber-attacks and the subsequent loss of both data and reputation. And education administrators can only expect these attacks to intensify as the pickings are rich. Which is why more and more hackers are attracted to education.
Read the full report: Securing the higher education perimeter