The growing challenges of securing Australasian academia
January 1, 2022 / Unisys Corporation
Short on time. Read the key takeaways:
- How can education institutions in Australia and New Zealand respond to shifting challenges
- The types of risks facing educational institutions
- How to better align with compliance regulations while creating a secure learning environment
- Ways to ensure continuous access and effective data management
The education sector in Australia and New Zealand has become a prime target of malicious cyberattacks, as evident in the growing number of reported attacks on schools and universities over the last few years.
These include a cyber attack on the NSW Department of Education systems just before the start of the new school term in 2021, 11 schools in New Zealand affected by the Kaseya ransomware attack, and attacks on the Australian National University (ANU) and Australian Catholic University (ACU).
The risk is not just that the number of attacks has increased. It is that attacks have become more sophisticated.
This surge in cyberattacks is not surprising. Many universities and higher education institutions around the globe have expanded notably within the past two decades in terms of sites, staff and students, putting more pressure on the IT technologies that support them. Unfortunately, traditional IT solutions such as virtual private networks (VPNs) and traditional firewall-protected networks are struggling to deliver the access and security required — not just in the academic world but also in the new working practices required across all organizations. Perimeter expansion creates more risks and threats, increasing the importance of building a cyber resilience model that works.
In addition, while many Australian and New Zealand tertiary institutions already offered digital remote learning, the impact of COVID-19 social distancing mandates required a rapid shift to virtual classrooms for all students at all levels of education. With this expansion of the institution’s perimeter comes greater vulnerability, providing the attackers with more points to target.
Why should education institutions care? Cyber incidents can harm their service delivery and reputation and may involve:
- Theft of information such as intellectual property or sensitive personal data
- Denial of access to critical technology
- Hijacking of systems for profit or malicious intent
- Financial losses
A strong cybersecurity approach comprises technologies, processes and controls designed to protect IT systems and sensitive data from cyberattacks. And rather than focusing on simply preventing attacks, an effective cybersecurity approach requires a framework that ensures resilience by minimizing the extent of a breach if it happens — and it will happen. A cybersecurity framework should cover threat identification, protection, detection, response and recovery of IT systems.
Consider just a few of the issues routinely encountered in the educational sector:
Aligning with compliance regulations. After major reforms were introduced in 2014, education organizations must comply with the Australian Privacy Principles, and in 2020 similar Privacy Principles were adopted in New Zealand. Before that, education institutes were subject to baseline standards such as Payment Card Industry Data Security Standards (PCIDSS), which were restrictive as only relative to the people working with payment card data. In ANZ, many have opted to adopt measures recommended by their national government to mitigate cybersecurity incidents, such as the Australian Government’s Essential Eight mitigation strategies and CERT NZ’s ten critical controls in New Zealand.
Meanwhile, in Australia, there is debate about including higher education under the revised critical infrastructure bill, which requires universities to comply with more government-required regulations and cyber controls.
Ultimately, there is growing scrutiny and attention on how higher education protects its cyber infrastructure and data. This requires more budget and strategic thinking around how to secure critical assets. And regulations constantly evolve, so they need to keep track and do more than they are used to.
Creating a secure virtual learning and research environment. All higher-education establishments are developing alternative ways of teaching in this COVID-affected world. Remote and virtual learning options are becoming the norm. This paradigm shift affects every stakeholder: staff, students, guest lecturers, research partners, private sector parties, suppliers and more. These stakeholders need properly authorized, secure, and easy-to-use access to the university facilities and the individuals with whom they interact.
In addition, research is critical for many universities to maintain links with industry and generate income. However, enabling research through easy and secure access to data and collaboration is challenging when researchers are spread across multiple sites. During the global pandemic, these difficulties were further heightened as more and more work needed to be carried out remotely, often outside the university’s physical network infrastructure and the traditional firewall protection.
Effective data management and protection. Many systems within universities deal with personal identifiable information (PII), intellectual property (IP) and payment card information. These systems have been upgraded, and their security has been reviewed under the new privacy act requirements. However, this must be ongoing as new vulnerabilities are discovered daily, and attacks become even more sophisticated.
Overall, these issues show that academic institutions need a secure way of segmenting their networks and the ability to provide secure access to vital resources, data and applications anytime, anywhere.
The limitations of legacy applications and the demands of compliance
Like many organizations responding to the need to accommodate new working patterns, universities and higher-education institutions often have infrastructures that are ill-equipped to handle new challenges, citing issues ranging from network bottlenecks to a lack of adequate security features, such as role-based access, encryption in motion and embedded software security.
In addition, the lack of up-to-date security features means achieving compliance with legislation and standards, such as GDPR, CIDSS, APPs, E8, CERT NZ Top 10, NIST, CIS TOP20, ISO27001 and OWASP, can be problematic.
For those who use VPNs to provide secure remote access to corporate resources, the challenge is that once users are connected, they have access to large, if not all, network sections. This puts sensitive data at risk because if bad actors gain access, there are no further barriers to navigate. They are “home-free” to move where they want and steal what they want.
In terms of security failures, there are many examples in the news. For instance, multiple universities in the U.K. and U.S. were impacted in 2020 due to a ransomware attack against Blackbaud, a provider of alumni database software.
A better solution is required if universities and higher-education institutions are to gain the connectivity and security they need to thrive in today’s world. The optimal solution will not require a “rip and replace” approach. Still, it will instead enhance existing networks, minimizing costs and disruption while offering an ecosystem-based approach to security, integrating what is already there and justifying the existing investments where possible is desirable.
Solutions to meet the needs of today’s universities
Universities tell us that they need two things: first, they need to ramp up the security of their networks to protect their staff, students, data and research; second, they need to ensure that access is still easy and intuitive.
At Unisys, we provide a software-based overlay approach to network security that can be implemented without impacting infrastructure, applications or end users. It offers easily managed identity-based network access and secure cryptographic segmentation with point-to-point encryption of data in motion.