Cyber security is becoming a big deal in Higher Education
Since the COVID-19 pandemic impact on Australia, there has been more work and study from outside the university network. There is a wide range of end users including professional staff, academics, researchers, support staff and students. This creates a wider attack area and access points for cyber-attacks. Universities are further vulnerable due to the many technologies, networks and legacy systems that exist. With these legacy systems no longer supported, patches and other updates are not available to address any new cyber threat.
The cybersecurity threat takes many forms. The most commonly publicised is ransomware attacks, where a cyber-criminal disables part or all of an organisation’s systems, until a ransom is paid. According to the ACSC the number of ransomware attacks has increased by 60% in the last year. The average ransomware demand in Australia was $1.25m last year (2020). The most common form of entry to the system is via phishing emails.
In the higher education sector, the Australian National University (ANU) was hacked twice in 2018, when there was unauthorised access to significant amounts of personal, staff, student and visitor data, going back 19 years. These were as the result of an advanced persistent threat (APT) on the ANU systems. In February this year (2021), RMIT University had to cancel online classes and some face-to-face classes when a malware attack occurred disrupting the RMIT systems. In April 2021, Swinburne University of Technology had a data breach with personal information of 5,200 staff and 100 students accessed unlawfully.
These are the reported cyber-attacks. There is a reticence for organisations to report cyber- crime due to reputational damage. However, this is likely to change in the near future as the federal government proposes changes to the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SOCI Bill). This will include mandatory cybersecurity incident reporting and enhanced cybersecurity obligations for ‘systems of national significance’.
To combat the threat of cyber criminals requires an acknowledgement and education of the risks at all levels from the Board/Council down, throughout the institution including all levels of staff. Also, the policies and procedures of a mandatory reporting regime to notify necessary stakeholders. There also needs to be a tolerance of attacks, with the mitigation strategies in place to reduce it in the first place and address cyber-attacks as they occur.
There is also a growing threat of vulnerability from the third-party providers of Software as a Service (SaaS) solutions and the storing of data by cloud service providers. COVID-19 has had an impact on the delivery of higher education with a greater acceptance and willingness of students to choose online, blended and hybrid modes. To meet this increased demand universities are in partnership with Online Platform Management (OPM) providers. These OPMs hold highly sensitive course material, student and staff data, making them a target for cyber criminals.
Professor Andrew West is currently Dean of Universal Business School Sydney (UBSS).
Emeritus Professor Greg Whateley is currently Deputy Vice Chancellor of Group Colleges