Universities and other higher educational establishments are at risk from the data breaches, just like any large organisation or business. But are educational institutions at any additional risk? An article in the Huffington post last year gave examples of 5 colleges with data breachs larger than the Sony breach.
Universities UK, an organisation comprising the chief executives of UK Universities working to support and promote the UK higher education sector, commissioned a report looking into approaches to implementing cyber security in higher education institutions at an executive level.
Their suggestions on how to provide suitable cyber security appears very similar to approaches any large company should be tackling:
The nature of, and reliance on, the data plus a wide set of activities requires a set of targeted cyber security models appropriate and proportionate for their assets.
Data is relied on for the successful operation of the institution as well as a requirement for research and the production of further data. It can be the main intellectual asset, sometimes politically or commercially sensitive and essential for the university to meet its commercial or academic needs. Just consider the nature of climate change data, or medical records. Or it could be enterprise data, on students, finances and HR: subject to the usual data protection laws.
The implications of any data theft are huge: reputational, legal, economic and operational. Future funding could be effected, as well as possible loss of future student fees and associated income. Prosecution and other penalties could arise, or the loss of intellectual property assets. There may even be damage to infrastructure that cripples the activities of the institution.
The personal and financial data stored on university data systems is of great value to the cyber-criminal. However, commercial data can be of interest to corporate spies and scientific or grant-related research can be targeted by nation-state backed groups.
Even university infrastructure, with its large bandwidth and powerful servers, is a target for hackers. It can be hijacked and used to direct attacks to other external systems. When the New York Times’ computer systems were hacked in 2013, the subsequent investigation found that the attacks had been directed through compromised computers at US universities.
The threats faced by educational institutions are the same as ever.
the list goes on!
However, the nature of the University campus and network is the real difference between higher-education establishments and the corporate network. Made up of many, sometimes dispersed, networks; the university network infrastructure is the corporate security officer’s nightmare. But this is not down to any lack of foresight or ignorance on campus IT security. It is far from it. The educational environment and historically open campus means there is not the tight security focussed infrastructure that corporate networks exemplify.
A regular flux of undergraduates; researchers and graduates collaborating and sharing data globally; visiting academics; “bring your own device” infrastructures long before business even considered it. These are environments where the concept of tight data security has traditionally been unhelpful or even unwanted. When an institution thrives on the free exchange of data and ideas, it cannot easily apply the same security measures as larger businesses do.
There is a fine-balance on what has to be allowed and what security measures can be put into place. Security in all organisations, commercial or academic, is a trade-off between the likelihood and potential impact of an attack and the financial cost or loss of utility that are incurred in defence.
One successful approach has been to segment and partition campus networks as much as possible so that the most sensitive and valuable data can be protected adequately while allowing for relatively open parts of the network to support educational and research needs. This can be complex and requires detailed risk analysis, management prioritization and associated security measures.
In fact, this is an approach that is starting to be seen in corporate networking. The dangerous ‘outside world’ and the safe local network is the old-fashioned view of things. The DMZ that used to sandbox the systems shared between both WAN and LAN is now being considered as the protected zone to secure servers from both the outside and internal worlds: using security systems that monitor the network for behavioural anomalies, rather than rely on perimeter-based protection.
And here, universities may be ahead of the corporate world.
Do you segment and partition campus networks? Are you finding infrastructural problems and silos - a network security nightmare? If you’re an IT pro working in a university or school I’d love to hear what you think. Email me at firstname.lastname@example.org
Sign-up for email updates...
Call us on USA +1 813 304 2544 or IRL +353 91 545555Contact Us