Data is the new gold

Colleges and institutes across the globe rapidly progress toward digitalizing their operations and educational processes.

It is therefore imperative to keep data secure and implement watertight mechanisms for cybersecurity. 

Educational institutions realize that the sudden and rapid digitalization has left many gaps that could be, or are being, exploited by malicious actors. The large size of these organizations and the inherent churn involved further increase their risk for a variety of cyber-attacks. We will discuss why educational institutions must not look at cybersecurity simply as a technical exercise but make it part of their growth strategy and embed it into their organizational culture.

The emergence of hybrid education

Hybrid education is here to stay.

Over the last few years, innovation in the global education sector has accelerated. As education industry leaders reimagine education, there is a pressing need to explore ways to deliver seamless learning experiences. As a result, stakeholders from the industry are examining different educational models to meet the diverse needs of the students. A key development has been the emergence of the hybrid education model—a combination of in-person and online education. 

While traditional classroom teaching will remain in some form or the other, the hybrid education model is the way forward. In many ways, the latter is not a supplement to the former but, both are complementary to each other. Students can leverage a combination of online and offline content for customized, deeper, and richer learning experiences.

Institutions can collaborate with partners to introduce innovative features such as digital libraries and facilitate sessions from industry experts across the globe, all at a relatively lower cost than if all of it were being done offline.

The speed of adoption of new technology will likely decide the future leaders in the education space. However, the growth of hybrid education has not been organic and hence, suffers from some inherent gaps, the biggest and most damaging of which is cybersecurity.

Cyber threats loom large

Monetary and reputational damage aside, cyberattacks are major impediments to growth.

The stakeholders in a typical higher education institution are students, faculty, research personnel, and professional service providers. The sizes of these organizations are almost equal to, or often bigger than the large corporate organizations of the world. Yet, their IT budgets amount to less than one-tenth of the budgets of large enterprises. Combined with factors such as the lack of funding, staffing issues, and delayed adaptation to new technology, these institutions have become lucrative targets for malicious actors. 

The relative ease of availability of sensitive data, its demand in the black market, and the opportunity to leverage this information for ransom further add to the negative attention this sector is facing. 

In 2020, some universities in the US, along with others in the UK and Australia, were targeted by hacking operations trying to steal intellectual property. Recently, the University of Oxford’s Division of Structural Biology was attacked by hackers seeking information on the vaccine the university developed with AstraZeneca. Multiple universities and schools worldwide have faced denial-of-service (DoS) attacks. 

The inherent qualities of the sector’s size and churn also play against it. The sheer size of such organizations, with a large number of people joining and leaving each year, put an additional load on the IT teams to manage and track access. Also, the current IT infrastructure in most universities is complex and siloed, and the adoption of the hybrid model of education has complicated matters further.  

Another reason is the abundant availability of personally identifiable information (PII). This type of data fetches a high price in the black market and on the dark web and can be used by threat actors for various reasons, including fraud, identity theft, terrorism, and blackmail. PII encompasses highly sensitive data such as names, addresses, social security numbers, and the salary information of current and former employees. 

Education, by design, functions on a four-dimensional delivery model—people, processes, technology, and partners. The people dimension features four distinct types of personas. It encompasses students, teachers, researchers, and professional service providers, with the last group being the most diverse. Each persona, with its own behavioral and functional traits, further complicates the process. For example, support staff may be more vulnerable to phishing attacks that can expose the PII of students, alumni, teachers, and applicants. 

Most universities today operate with the BYOD (bring your own device) model for students. Further, for a learning environment, a free flow of data, a collaborative atmosphere, and 24X7 availability of information are essential. These factors create complexity when features such as access control and restricted data availability are implemented for security. With its inherent churn rates, this makes the people dimension the most complicated and critical aspect.

Another dimension is the partner ecosystem. Consider the case of the data breach at a large US medical university, where the university had to pay a huge fee to some of the employees. A former employee of FEMA, a partner organization, gained access to the university’s human resource database and stole employees’ sensitive PII and W-2 information. This information was then sold over the dark web to cybercriminals, who used it to file false tax returns.  

Bringing about a culture shift

The cybersecurity strategy for the education industry cannot be a plug-and-play approach. 

What institutions need is to go the bespoke way (see Figure 1).

Figure 1: Navigating cyber-threats

An educational institution’s cybersecurity strategy must consider its diverse stakeholder set and the rapid inorganic digital adoption it has undergone. Also, educational institutions promote data sharing rather than compartmentalization. This must be addressed when framing cybersecurity strategies.   

The solution must address the behavioral details before the technical ones. The strategy should start with realizing positive social change through extensive training and monitoring. This must begin at the basic level and include stakeholders such as security personnel and lower-level admin staff while increasing awareness at the top levels. This will help ensure that cybersecurity is woven into the organization's cultural fabric and will drive organization-wide accountability.

Secondly, as depicted in Figure 1, prioritization is required to identify the most important things that need protection. In addition to mission-critical systems, this could include information and assets with the highest impact. This helps with planning for redundancies, ensuring business continuity, and isolating contents such as research, novel technology, IPs, patents, PII, and financial and third-party information. 

Thirdly, centralized IT infrastructure with a tailored cybersecurity governance framework should be implemented with a strong backbone comprising segmented networks, well-designed back-ups and redundancies, and a well-defined accountability matrix.

The system should have uniform protocols, accounting for factors like BYOD and remote and multi-device logins, enhanced two-step user authentication methods, and a highly streamlined and automated access control mechanism based on a zero-trust security framework.

Further, the system should also address the behavioral aspects of cybersecurity by having a robust incident reporting mechanism, identification of best practices and fast remediation, reward and punishment practices, and dynamic policies driven by BCP drills, continuous evaluation, and readjustments.

Finally, cybersecurity readiness should move from a reactive approach to a proactive one, combining traditional defenses with real-time monitoring and data-led intelligence to predict incidents before they happen. There should be a well-documented and well-socialized recovery plan that specifies each stakeholder’s roles in case of a breach. This should be reinforced with regular drills, testing and awareness drive on the latest threat actor capabilities and behaviors, infusing cybersecurity into the very ethos of the organization.  

Moving beyond traditional ideas of security 

Artificial intelligence can elevate the cybersecurity game.

Institutions can benefit from AI by becoming more aware, responding quickly, and enhancing the overall effectiveness of their cybersecurity systems. AI can also be used for behavioral analytics, network security, vulnerability management, and phishing detection and prevention. On the flip side, unlike traditional systems, AI systems can be breached in non-traditional ways that could lead to privacy violations.

There is no room for complacency in an area as vital as cybersecurity. From valuable research data to private information, there is too much at stake. Institutions must explore established technologies for cybersecurity defenses and emerging ones. As threat actors easily leverage blind spots, both the ethical and technical aspects of cyber security violation need intensive research. Cybersecurity approaches must be ever-evolving and help facilitate a safe place for learning, a secure arena for employment, and a protected environment for sensitive research.