Intellectual property is one of the hot currencies cyber criminals trade in. So, naturally, research and data-rich universities, with increasing digital education models and often complex organisational structures, are becoming more of a target.
One of Australia’s leading universities, Australian National University, recently revealed it had been fighting off a cyber threat for several months. Media reports suggest the attack was launched by China-based hackers targeting its defence and security research, accessing sensitive information on national security.
This follows the US Department of Justice indictment of nine Iranian men in March who allegedly hacked the computers of almost 8000 professors at 320 universities around the world over the past five years. The hackers are reported to have been working on behalf of the Islamic Revolutionary Guard Corps to gain both valuable innovations and intellectual property.
In September 2017, The Times reported cybersecurity breaches at UK universities, including Oxford, Warwick and University College London, had doubled over the past two years.
While high-level cyber-attacks compromising national security are rare (at least in the public eye), these cases highlight the need for universities to be making significant investment in cyber resilience strategies.
The connected supply chain
Hackers are now leveraging cyber supply chains by accessing less secure networks, and using them as an entry point to traverse to higher valuable data. Universities are some of the biggest retainers of intellectual property in the country, and a valuable part of many supply chains.
With thousands of students given free rein to bring their own devices onto campus and connect to a network, there is real risk in providing a would-be hacker full access to students’ data, as well as the university data. A simple password can be ‘a ticket to ride’ which is why student ID theft should always ring alarm bells.
How do you protect what you can’t see?
For most businesses it can be a relatively easy exercise to determine their most critical/sensitive information, where it is stored and who has access. This is not true for universities, who by their very nature, have a much more complex structure, and that is perhaps the greatest challenge of all, requiring a multifaceted solution.
This can be difficult to implement when you have thousands of students and multiple autonomous faculties across campus, making it hard to have visibility over their infrastructure and risk profile. Shadow IT is a known threat, and if you don’t have control over the IT landscape it can be very difficult, or almost impossible, to protect against.
Thankfully, many universities are already beginning to think like businesses and are investing heavily in cyber resilience to address prominent risk areas. Our top institutions have recognised the competitive advantage that can be gained when competing for sensitive security and defence research grants. Good cybersecurity risk management can be a differentiator.
As in business, those that take a more reactive approach will continue to put their valuable IP at risk at a time when hackers are becoming more cunning and more sophisticated in their attacks. Those that invest in building resilience in the right areas, may get plenty of opportunity to extract return from that investment.