A photo of a screen with computer code.
A photo of a screen with computer code. Credit: Shahadat Rahman / Unsplash Credit: Shahadat Rahman / Unsplash

A recent Angus Reid poll launched in response to the growth of online learning, revealed that 76 per cent of Canadian post-secondary students surveyed are concerned about cybersecurity. That’s up 10 per cent from pre-pandemic times.

In fact, 79 per cent feel their university or college should be responsible for protecting them from cyber attacks. Nearly half of those surveyed said their decision to attend a university or college would be influenced if the school was known to have experienced a data breach or had a reputation for weak cybersecurity.

Accessing ransomware and hacking tools has never been easier. That’s led to a rise in well-organized and sophisticated hacking gangs able to launch attacks from anywhere in the world. Increasingly, the education sector is being targeted.

Post-secondary schools have a wealth of sensitive data including health and financial information, academic performance records, and personal student and faculty records. These institutions also have extremely valuable, proprietary research and development data and intellectual property.

The COVID pandemic forced colleges and universities to transform their digital capabilities literally overnight. Remote classrooms, research collaborations, student/teacher communications, third-party and vendor management suddenly needed distanced support.

While a quick transition helped ensure the physical health and safety of students and staff, it dramatically increased what is known as the ‘attack surface,’ which is all of the different places unprepared school networks, systems and databases could be breached.

“Cybersecurity is the latest challenge facing higher education institutions, with many students putting the onus on their schools to keep them cyber safe,” said Kevin Dawson, President and CEO of ISA Cybersecurity in an email interview with rabble.ca. “Interestingly, 44 per cent of respondents say their school doesn’t provide enough training and resources to help ensure students’ personal information is protected from threats, yet only 49 per cent say they follow the guidelines that their academic institutions do put out.”

Ransomware attacks doubled in 2021

The study follows a recent report by IBM Security X-Force showing that ransomware attacks against the education sector more than doubled globally from 10 per cent in 2020 to 22 per cent in 2021.

Strengthening cybersecurity often comes down to budgets. Financially-motivated cyber criminals target post-secondary schools with lower defenses wagering that the added pressure of a ransomware attack will reap high returns in a short time.

Dawson recommends schools document IT policies and procedures and provide security awareness training for staff and students. He also suggests implementing multi-factor authentication, maintaining robust patch management and backups, implementing endpoint protection as well as a security information and event management (SIEM) program.

Andrew Toth, Commerce student at Queen’s University, told rabble.ca through email, “I had concerns about my data when supplying my university with my vaccine passport during COVID. These concerns were not because I had any ideological issues with vaccine passports, but more so the idea my university would have permanent access to that medical information. But since physical safety was the issue, I didn’t hesitate for long before sending it in.”

Toth went on to say that he did not recall receiving information from Queen’s specifically addressing how to protect himself from cyber threats.

According to Toth, Queen’s data was breached a few months ago. The data of Life Science students was accidentally disclosed to everyone in fourth year. The shared information included students’ full name, gender, student number, grade point average, and academic plans. Queen’s publicly apologized but little was released to students about how the university would follow up.

People are the first line of cyber defense

Dawson acknowledges people are the first line of defense against many forms of cyber attack. So, while post-secondary schools must provide secure services for their students, their students must also take an active role in protecting themselves.

“We live in a digital age, so cybersecurity awareness is effectively a life skill that everyone should have,” said Dawson.

That’s why it’s important for students to participate in regular cybersecurity awareness training to ensure phony links don’t get clicked or infected attachments opened exposing information that can be exploited or monetized for identity theft, phishing, held for ransom, or sold on the dark web.

When students realize what’s at stake, they see the importance of working with their school to prevent information theft as well as the bigger picture that protecting their data also applies to their personal and professional lives.

About two-thirds of students surveyed had taken steps to minimize their risk of cyber attacks. Measures employed included increased computer security features, following guidelines put out by their academic institution, and reading articles and books on minimizing risk.

Getting cyber safe

The Government of Canada’s Get Cyber Safe website is a great place to start. It has engaging and practical information to help increase cybersecurity awareness. Their blog provides information on the latest trends in phishing and how students can protect themselves.

The Canadian Anti-Fraud Centre website also has information on current phishing outbreaks and other scams. ISA Cybersecurity has also published articles on cyber awareness for students, and offers a “Weekly CyberTip.”

Toth has added malware scanners that filter out phising scams, spam and other risks from online sources. Still, he admits, “a lot of my understanding of online threats like scams and hackers comes from experience. My experience with, for example, sports streaming websites has taught me to instinctively spot targeted popup ads and potential scamming websites. Although I can usually recognize these sites, I will still sometimes mis-click and find myself down a popup ad explosion.”

Almost every application, service, computer, and device generates logs reporting on how a system is functioning. With all the in-house and cloud systems, networked devices, and wireless equipment in schools today, it’s impossible for humans to assess, correlate, and react to the volume of operating data created every minute by the systems, in case something is going wrong.

“What’s great about SIEMs is that they can provide a high-level view of what’s happening on an entire network, across devices, in real time,” said Dawson. “A warning message that might be of mild concern if it appeared on a single server became much more worrisome if it flashes across several systems at the same time. A SIEM’s ability to normalize and cross-reference log data brings insight out of all the noise, enabling real-time threat detection and incident prioritization”

Doreen Nicoll

Doreen Nicoll is weary of the perpetual misinformation and skewed facts that continue to concentrate wealth, power and decision making in the hands of a few to the detriment of the many. As a freelance...