Data management as a defence

With incidents such as the NSW Education Department attack and RMIT outage from earlier in the year, it’s evident that the education sector is no strange to cyber attacks.

With at least 1.5 million students enrolled in universities across Australia and 130,000 full-time staff, the amount of data institutions are holding is nothing but a goldmine to cybercriminals.

What makes universities a target?

As people became increasingly remote due to the pandemic, whether for work or for study, more people would spend time online, which would subsequently increase potential security gaps. Challenges arose, particularly among IT and security teams, in monitoring user behaviour and ensuring people are implementing best practices.

Educational institutions hold an incredible amount of confidential data, including credit card details, financial documents, academic records and medical information. With the push to remote work happening so suddenly, with little time to consider the security measures or provide cybersecurity training for new remote users, it’s no surprise that cyber attacks on Australian universities have soared significantly over the past couple of years. In fact, the Australian Cyber Security Centre reported a 60% increase in ransomware attacks in the past year across Australia.

Digital identity management for risk mitigation

Manually sifting through high volumes of sensitive information can be nearly impossible to effectively analyse. Contextualising a huge amount of data to figure out what is relevant or could pose as a potential risk can be an inefficient and laborious task, which is why investing in artificial intelligence (AI) is a great first step for an organisation to manage identities.

By implementing risk-adaptive authentication, it will act as a first line of defence to prevent hackers from entering the system. Through constantly monitoring and analysing a user’s normal pattern of behaviour over time, it will recognise any abnormal login attempts and request additional authentication from the user. For example, it will flag an attempt as high risk if a user were to log in from an unusual location or abnormal time of day, prompting an extra requirement for authentication.

In the case that a hacker does get into the system, user and entity behavioural analytics (UEBA) systems utilise AI to gauge what is normal and abnormal user conduct. The UEBA system can catch threats in real time by picking up any abnormal behaviour — such as logging onto unusual applications or downloading significant chunks of data — then flag the behaviour and automatically revoke access.

Stronger passwords are a starting point

Deakin University discovered staff were not using secure methods to store and share sensitive data, including personally identifiable information, instead storing them in spreadsheets saved on shared drives — this open resource can make it easy for hackers to gain access and steal credentials. LogMeIn worked to deploy a password management solution which gave Deakin University an overview of the types of passwords used by its 60,000 students taught annually, and its staff.

Our latest Psychology of Passwords report revealed that 41% of people think that their accounts aren’t valuable enough to be worth a hacker’s time. This gives people a false sense of security and may lead them to having bad password habits such as using the same or a variation of the same password — 91% know this is a risk but 66% do it anyway. A hacker only needs access to one piece of information to be able to lead them towards something more valuable such as personally identifiable information — every bit counts.

More than just the technology

You need to look beyond the surface-level solutions such as buying technology in order to strengthen an organisation’s cybersecurity capabilities. To truly strengthen Deakin University’s cyber resilience is to enforce better user habits through educating staff, students and alumni in best practices to improve cyber hygiene. It’s also important to consider that universities include a broad spectrum of users and employees with various levels of digital literacy: technical, non-technical, staff, students and alumni.

Technology that has been implemented to protect that organisation can be made redundant if a user is fooled by a malicious link in an email, for example, or clicks on an unknowingly infected site. The Office of the Australian Information Commissioner (OAIC) states that 60% of data breaches were due to human error and phishing attacks combined; it listed education as the third-highest industry reporting the most data breaches. As phishing and ransomware attacks are becoming increasingly sophisticated and harder to detect, individuals need to be equipped with the appropriate knowledge of what to look out for and how to report suspicious activity if stumbled upon.

Universities have a responsibility to ensure that the technical parameters in which its staff and students operate are a secure and protected environment. However, cyber awareness is something that should be increased across the organisation, no matter the role or individual responsibilities of the person. Cybersecurity is everyone’s business and a constantly evolving issue, so it’s important that cyber hygiene is kept up to avoid a crippling cyber attack.

Image credit: ©stock.adobe.com/au/xy