Open campus access creates cybersecurity risk
Universities are vulnerable to potentially damaging cyber breaches because of their structure and focus on open access.
Universities are uniquely vulnerable to potentially damaging cyber breaches because of their decentralised structure and focus on open access to information, according to cybersecurity consultants.
“Their ecosystem is unique and different to an Australian corporate,” said Shane Bell, partner with McGrathNicol Advisory.
Speaking after news last month that the Australian National University had fought off a sustained attack by overseas hackers, reportedly from China, Mr Bell said universities were magnets for attack partly because of the valuable research information they held.
Mr Bell and his colleague, McGrathNicol Advisory partner Darren Hopkins, said the broad access to university systems by tens of thousands of students and staff, and their decentralised management structures, were points of vulnerability.
“(University) faculties do different things and have their own views about who will have access to their infrastructure,” Mr Bell said. “Their primary driver is not necessarily the protection of that information, it’s the availability of the information.”
Mr Hopkins said universities had no control over the tens of thousands of “bring your own” devices used to login to their systems.
“You’ve got no control over any of that,” he said.
He said there was a high risk of malware being introduced, which attacked the system.
Mr Bell said universities faced a complex cybersecurity challenge.
“Inside a university you’re dealing with thousands upon thousands of students and layers within that of who should be accessing what information,” he said. “To build controls around that can be quite complicated.”
The pair said there was a major risk of identity theft — stealing email addresses and passwords — which could give bad actors access to sensitive material.
They said there was a noticeable change in the approach of hackers, who were no longer as concerned with quick wins but were thinking more strategically about how to maximise their returns once they have penetrated a system.
“Once they get in somewhere, rather than doing anything immediately they’ll sit there and see what they’ve got,” said Mr Hopkins. “It can take weeks or months. They will use the information to island hop to the next system.”
Mr Bell said that universities were making a shift towards being more proactive, rather than reactive, about their cybersecurity, which was a positive step.
To join the conversation, please log in. Don't have an account? Register
Join the conversation, you are commenting as Logout