Yesterday saw the National Cyber Security Centre (NCSC) offer advice to academia on best practises for protection against cyber-attacks, but how much is that needed right now?
Speaking to Infosecurity, Alan Woodward, visiting professor at the University of Surrey, said the NCSC had been working with universities because they are becoming a target. Woodward cited the recent breach at Blackbaud, and also other incidents involving cybersecurity incidents in academia, and the issue is “universities by their nature are quite open environments” and they are open for sharing.
“At the same time, it means it is easier for the attackers to get in, and plant the ransomware,” he said. “This particular time is difficult for universities with lots of people coming in, and they are very dependant on their systems.” However Woodward believes that people are not paying the ransoms, and insurers are now saying that those who were hit need to take reasonable steps.
Calling them the ultimate BYOD environments, he said a lot of the IT infrastructure is known at universities, but there is “a lot of plugging in” by the students, and not all of the technology is always known about. He said in Surrey’s case, what is being plugged in can be seen for safety standard reasons, but added he would not be surprised if that could add a new attack vector.
“Not all universities are equally mature”
Woodward praised the NCSC’s actions, and said the “basics” are commonly enabled, and he had seen CISOs appointed in academia including at the University of Surrey, but not all universities are at the same level of sophistication. “We want to be seen to be eating our own dog food, but not all universities are structured in ways that can lend themselves to that,” he said.
Woodward said he believed that the attack on Newcastle University was intended to be used as a benchmark by the NCSC “to discourage any further attacks.”
So is this a case of universities acting like small businesses, and not allocating time and measures to ensure cybersecurity is at an adequate level? Woodward said at Surrey there are layers of management leading to the CISO, and the intention is to not just look at IT but also cybersecurity. “Not all universities are equally mature,” he said, and made the point that applications for the upcoming Academic Centres of Excellence in Cyber Security Education (ACE-CSE) are currently going in, “and a big part of that is to be seen to not just educate, but be a learning organization.”
However like companies, not all universities have the basics in place, but whether it covers the triad of people-process-technology, “not everybody is at that stage.”
So why are attacks being made? Surely this is not for financial gain, and anything aiming to collect educational data would be done with more of an espionage tactic? Woodward said ransomware is the most prolific cyber-attack tactic globally, and in some cases there has been ransoms paid. “That is becoming a thing of the past now, it is one of those things where you could to SMBs and find the same state of affairs,” he said.
As for the advice issued this week, Woodward said it should be seen as a bare minimum of what you should be doing, and ideally have someone responsible who can talk to the NCSC. “If someone is not doing what is on that list, they could be in trouble.”