What is common between Stanford, Yale, Indian Institute of Management Ahmedabad, National University of Singapore, University College of London, other than the fact that they are the most sought after destinations for students and corporate alike? Well, they have all been victims of cyber attacks in the recent past. These institutions represent the creme de la creme of the education ecosystem and, as such, do present themselves as a desirable target for attackers. While these are more prominent universities and any attacks on them do grab the headlines, what gets missed out is that the entire sector from K-12 to the universities is an attractive target for the hackers.
For a very long time, universities always felt that they were not an attractive target for the attackers because they did not have any valuable information to go after. However, the spate of attacks on the sector offers a fascinating insight into why they were targeted.
All you need to know from the expert Pankit Desai, Co-founder & CEO, Sequretek.
Student information: As part of the admission process, universities collect significant Personally Identifiable Information (PII) not only of the students but also their parents. The PII covers health records, financial status, contact details, academic choices as well as student preferences, making them a gold mine for the attackers.
University research: Traditionally, universities have been a hotbed of research activities both fundamental and applied, hence making them a top target for hackers. Oxford University was in the news because of the increase in the number of attacks by cyber-spies to steal their research around vaccine for COVID19.
Start-up incubation: These days, universities have also become launchpads for start-ups, with intense competition between them to incubate the next Unicorn. In most cases, the students work on their next big idea while still studying, and they do so by using university infrastructure. If the infrastructure is not secured, an espionage like attack could result in innovative business ideas being leaked before they even get a chance to hit the ground running.
Credential harvesting: It is a known fact that most users like to keep the user id /password combination standard, which, along with information harvested from the student networks, is used for carrying out attacks.
Financial impact: Ransomware attacks are quite common across all industry segments, and so is the case with this sector. The attackers are, however, timing the attacks to specific time-bound events like admissions, examinations periods to maximize the impact as well as force the institutions into paying the ransoms.
The fact that the universities are a soft target is a given. Still, the problem gets compounded by a combination of factors ranging from lax attitude towards security to the financial constraints or their operating philosophy.
Read also: A Brief View of Interior Designing Course
Perennial lack of budgets: Too many competing needs, make investment in security one of the last priorities. Outside of the handful of well-funded institutions, the situation is pretty dire for the remainder who depend on government grants to make their ends meet.
Heavy use of open source: Whether an outcome of the previous situation or by design, most education institutions depend heavily on open source for their technology needs. By their very nature, open-source technologies are complex and not user friendly, resulting in poor implementations.
Lack of skills: This again could be a budget issue, but most institutions co-opt their students to support their tech platforms. While this is a great learning ground of the kids, there is a downside as skills are limited and second as students graduate and move out the knowledge moves with them.
Extensive dependence of technology: With COVID19 forcing authorities to shut down classes, all schools have been forced to use techniques for teaching/ research/ collaboration/ project activities that they would have done in physical premises. None of these institutions were geared for #WorkFromHome #VirtualClassroom related needs.
Security policy framework: Unlike the corporate world where you can enforce an organization policy and strictly enforce it, most education institutions allow freedom of access, making it challenging to monitor abnormal behavior as well as implement hygiene factors.
Missing regulation: The focus of ministries and departments is primarily to ensure the well-being of the education sector; they seem to have missed out on creating and enforcing guidelines for cyber security. It is quite evident that without regulator pressure, most institutions do not pay any attention to cyber risk.
Schools, colleges, and universities are supposed to be safe havens where kids can continue to learn and grow without any extraneous circumstances that impact their safety. The institutions have taken commendable steps to improve safety and security in the areas of bullying, physical safety measures, or sexual abuse. They need to recognize that cyber safety is an area that needs equal attention, as the potential impact of a breach to the community (not just the institution) could be long term.
Courtesy: India Today
Follow us on Facebook, Twitter, LinkedIn.