Growing cyberspace

We all know that there are more ‘things’ to secure, so let's be more specific. The pandemic forced higher education establishments to embrace remote learning and as a result, this meant there was an increase in staff and students using their own devices, but this is just the tip of the iceberg.

As higher education establishments increase their usage of cloud-based systems, SaaS, and other solutions to meet the ever-increasing (and over-stated) demands of the user, they are adding more ‘things’ to secure, especially when these systems are being accessed from random locations globally.

All this before we even mention the growth of the Internet of Things (IoT) and Operational Technology (OT) in Higher education. Distance learning, online collaboration, and video conferencing have now become an intrinsic part of universities, along with increasingly ‘digital’ campuses comprising smart TVs, speech-enabled assistants, and other often unmanaged technology. As a result, the device ecosystems supporting these transformations have had to evolve from traditional IT infrastructure to consumer technologies, which presents a significant risk when not understood or thought through.

The other point to note here is with an increased digital landscape often comes increased data. Understanding this data, monitoring it, and deriving intelligence from it is the foundation to being able to secure that landscape. The real pain in the neck here is, that with this growth (largely in the cloud or at least off-campus) comes scarcity in visibility, making it difficult to understand the risks and mitigate against them.

Remote learning was always here but now it’s an issue

Why? Access - expected anytime, anywhere, and by everyone.

Yes, the pandemic pushed universities to move to remote learning overnight but this was a trend that was growing regardless. Online courses, international students and general e-learning have been on the rise for some time and it doesn’t look like it’s slowing down.

Although this can cause sleepless nights for those concerned with service delivery, we’re here to discuss the cybersecurity implications of anytime, anywhere access. This starts with the device and it can be completely random.

Students rarely do things with security in mind - in all fairness, cyber security professionals aside, they aren’t alone. So when it comes to buying a laptop, installing some anti-virus software, having any kind of security, using open wi-fi, clicking on emails, their browsing habits and even locking their front door, it’s safe to say - their attitude to security is often fairly ropey.

This poses a threat when connecting to university systems as you can’t trust the device students are connecting with, it’s quite likely that a number of them will be infected with some sort of malware. Any vulnerability through the connection process or without the right permissions in place, could open the door to malicious activity spreading across the wider network.

The challenge is not the principal, it’s the scale. With so many connections into university systems by so many untrusted devices, there is a huge risk to mitigate when it comes to remote access. The architecture of most university networks was not built to support such a distributed user-base with remote access being at least on par with campus connectivity, if not greater and due to this unsuitability, making it work rather than making it secure is historically the focus.

The skill gap vicious circle

There is a digital skills gap in the UK and universities are struggling to acquire and retain employees who have key skills within IT. As cyberspace is increased at universities and more systems are added, it requires specialist skills to not only maximise the capability of these systems and run them but also to secure them.

The problem we see fairly frequently is, when higher education establishments are able to get their hands on talent to either grow into these positions or come in and tackle specific problems, that talent is often snatched up by private sector businesses who can offer a much more attractive package.

With this skill gap in place, you’re often left with a skeleton team that are trying to stitch the fabric together, often through the procurement of solutions that should solve problems but more often than not only exasperate the problem. Why?

The more 3rd party vendors that come into the estate the greater the need for specialists to maintain and maximise these new solutions. Without someone who knows what they're doing, these solutions can have a low capability utilisation and can become just another thing to manage.

Cyber vendors have a tendency to sell the maximum capability of a solution when in actual fact it requires a lot of tweaking to make it suitable for the job and is used to the maximum capability.

This is where the vicious circle can come into play. Skills gap = problem = procure perceived solution = more things to manage without specialist skills = greater problem.

This is where a solution versus service argument comes to the table.

The architecture itself is a risk

Right, stick with us here, it’s a bit of a three-part puzzle.

So firstly, let’s look at the sector. The tenets of higher education institutions are based on collaboration; sharing information, sharing research and that makes it difficult to segment the network and restrict access as granularly as you would in say, a law firm.

Even if you were looking to grant access for a certain time frame based on certain variables, that process is largely left to manual intervention and at scale, mistakes will be made.

This brings us to the 2nd part of the puzzle - the susceptibility of the sector to:

1. phishing, due to the perceived behaviour of the users, and
2. ransomware, due to its segmentation.

We did some research into students’ usage of university IT and there was general confidence from the students that picking up on scam emails would be easy (we weren’t as convinced), but there was also an assumption that anything from the university is trusted, without consideration towards legitimacy, impact or privacy. We tested this with a question around installing software, suggesting students are also likely to be susceptible to spear phishing.

This brings us to the final piece of the jigsaw - there’s a lack of visibility into the actual real threat. Due to the growth in the digital landscape, paired with largely off-campus (remote or cloud) activity and the squeezing of IT infrastructure and teams to meet the demands of the users, there are so many blind spots and unknowns. This all makes a higher education network extremely vulnerable to attack.

There is often a tendency to gravitate towards advanced cyber security solutions that tackle specific threats, but there isn’t a huge understanding of the overall security posture. Why invest in an advanced technical security solution if you’re not resilient enough to overcome a pay-as-you-go DDoS attack that can be accessed by anyone? Which threat is more likely to be seen?

Now we’ve had a look at some of the challenges, let’s have a look at some practical solutions to mitigate the risks we’ve outlined above.