Costly attacks by cybercriminals on universities have gone from headline-worthy to almost routine.

To take a few examples from the past few months, in June, the University of California, San Francisco paid $1.14 million (£860,000) to a ransomware gang to regain access to its data.

The following month, a string of UK institutions had data stolen – including details of alumni donations – after an attack on Blackbaud, which provides cloud services to universities.

Such attacks “will absolutely continue”, said Mark Ford, who leads higher education risk and financial advisory services for the audit firm Deloitte. As higher education becomes known as an “easy target”, this increasingly “attracts the bad guys”, he explained.

ɫ��ֱ��

The threat comes not just from criminals seeking money. Universities now house arguably the most valuable secrets on earth – plans for a coronavirus vaccine – putting them in the sights of state-backed hackers. In July, UK, US and Canadian intelligence services warned that Russian groups were attempting to target Covid-19 vaccine research and development.

This raises the question: are universities doing enough to defend themselves against hacking?

ɫ��ֱ��

Comparing the strength of universities’ defences with those employed by other types of organisation is tricky. Understandably, those who get hacked would rather keep it quiet. And cybersecurity needs vary between sectors.

Nevertheless, there are signs that some universities may be under-spending.

Higher education institutions in the US devote 3.6 per cent of their overall information technology budgets to information security, according to the most recent data from Educause, a US-based group of IT professionals working in higher education.

How much is it normal for organisations to spend? Estimates vary widely, but 3.6 per cent is at the lowest end of the spectrum.

One of the most recent estimates, a survey of chief information officers conducted earlier this year by the technology firm IDG, found that on average organisations earmarked 16 per cent of their IT budgets for security.

Meanwhile in the UK, a survey of institutions released in July found that five universities had no qualified cybersecurity personnel whatsoever.

This was “most concerning”, said George Glass, head of threat intelligence at Redscan, a London-based cybersecurity company that compiled the data using Freedom of Information requests.

Mr Ford said cybersecurity in higher education was at a level similar to that of US healthcare about a decade ago. Only after repeated thefts of patient data, plus government regulation, did hospitals get serious about cybersecurity. For universities now, cybersecurity and IT as a whole were “not seen as an important part of their operation”, he argued.

ɫ��ֱ��

This might matter less if universities were particularly easy to defend.

ɫ��ֱ��

But industry experts have warned that their open, decentralised nature makes them especially vulnerable to the rising threat of cybercrime.

“Think of higher education institutions as like a city,” running multiple systems for staff, students and myriad other activities, said Joanna Grama, associate vice-president at Vantage Technology Consulting Group, who previously worked for Educause helping universities to improve their security.

“There are so many aspects that an institution has to protect,” she said; by contrast, other organisations often know exactly where their “crown jewels” are.

Corporations can also take a much more “top-down approach” and mandate employee security measures and training, Ms Grama added. For universities, it’s tougher to compel students to do the same.

Research project grants are generally controlled by principal investigators, noted Mr Ford. “That’s hard to control for an institution,” he said. “They [PIs] don’t want to spend that money on cyber. They want to spend it on research.”

One key to a secure network is ensuring that software is regularly updated to close security loopholes. This is particularly hard for universities, said Simon Monahan, Redscan’s product marketing director, because they have hundreds of different pieces of equipment – think laboratories, for example – all connected to the internet and running on their own software.

Furthermore, the switch to remote learning induced by the Covid-19 pandemic means that thousands of students are now accessing university networks from all manner of locations using their own personal computers.

This makes it harder to spot “malicious” activity, said Mr Glass. And while students away from campus have long been logging in to university systems, mass online instruction means that “it’s a lot harder to monitor the edges of your networks for odd connections”, he warned.

Sceptics might observe that companies keen to talk about the threat of cyberattacks, like Redscan, may have an interest in creating business for themselves. While Redscan has indeed performed outsourced security testing to universities, this is no substitute for having trained, in-house employees who can rapidly deal with a threat, Mr Monahan emphasised.

Still, universities have one advantage over commercial organisations, Ms Grama pointed out.

They tend to work together, sharing ideas through organisations such as Educause in the US and, in the UK, the Universities and Colleges Information Systems Association (Ucisa). Banks, on the other hand, jealously guard their cybersecurity secrets from each other because top-notch protection is a key commercial advantage.

ɫ��ֱ��

Collaboration is “one of the things that higher education has working for it”, Ms Grama said.

david.matthews@timeshighereducation.com