Australia’s university hacks show urgent need for cyber protection

This month, the University of Western Australia reported a breach of its student information system, which compromised the personal information of current and past students.

This followed the July attack on Deakin University, where a cyber criminal accessed one of the university’s third-party providers and stole the names, IDs and mobile numbers of 47,000 students. Around 10,000 of these students were sent a text purporting to be from the university, asking them to pay a fee through a link.

The extent of the threat is such that the Australian Cyber Security Centre’s latest cyber threat report confirmed that education and training providers are now the fifth-most targeted sector for cyber attacks.

For the university students, staff and other stakeholders whose information is stored in these databases, this presents the very real possibility of falling victim to financial theft, ransomware or identity fraud – often through no fault of their own.

Why hackers target universities

Universities are an attractive target for hackers, chiefly because they handle, process and store vast amounts of personally identifiable information (PII) pertaining to students and academic staff.

As well as presenting risks on the individual level, if this information falls into the wrong hands, it could jeopardise Australia more broadly.

Academic institutions are at the forefront of policy and research, and deal with information critical to the development of technological innovations, medicine and other significant practices.

VIEW ALL

The theft of this data could seriously delay or prevent Australia’s development, economic prosperity, safety and global reputation.

An example of this happened last year at Oxford University when hackers broke into the systems being used to research and fight against COVID-19.

In Australia, the escalating threat environment has even prompted the government to recently refresh its Guidelines to Counter Foreign Interference in the Australian University Sector.

Updating security for the modern environment

One of the biggest problems with Australia’s academic institutions is the fact they have decentralised security. An institution’s departments and colleges typically operate autonomously and with a siloed approach, with each department having its own IT teams and assets.

This limits the overall visibility and control institutions have over data, which not only makes attacks easier, but heightens the chance of people accidentally sharing sensitive information.

While the challenges of university data protection predate the pandemic, they have recently been exacerbated due to accelerated digital and cloud migration.

Over the past few years, universities have been forced to rapidly transform to support fully remote campuses, enabling students, faculty, administrative staff and partners to engage with each other virtually.

Security tools have lagged behind this transformation and largely remaining on-premise, operating under the outdated assumption that everyone and everything resides in physical campuses.

This approach limits transparency and control over the exchange of data. With people now connecting to the university’s network across countless locations, apps and unmanaged devices, this creates even more gaps for criminals to gain entry.

Research has found that hybrid learning will continue entrenching itself as the norm across Australia. This means higher education institutions need an approach to cyber security that recognises how data moves in digital learning environments.

While some institutions have begun aligning cyber security with blended learning, tools are often deployed in isolation, and when components don’t work together, administrators need to switch between programs to get a clear view of status and performance. This means hackers have a head start on administrators, and security gaps are often left wide open.

This, among other flaws, needs to change for tertiary institutions to beef up their security posture. Finding a way to de-silo these components and instead leverage a unified, end-to-end data protection solution would enable IT teams and security teams to avoid the hassle of switching and, more importantly, acquire visibility over the entirety of its infrastructure. Doing so would better empower IT teams to intercept nefarious entry via all manner of applications, including those from third parties, before they reach the network.

By reducing the risk and impact of ransomware and other cyber attacks – even as the network perimeter disappears and data sprawls across countless apps – universities can more quickly and confidently create and maintain a secure, safe, compliant digital campus for remote learning.

Not only will this instil confidence for former and current students, academics and international students as they return to Australia’s shores but enshrine some of the nation’s most valuable assets with the protections needed to progress and compete on a global stage.

Don Tan is the head of sales, APJ at Lookout.