When it comes to cybersecurity, further education colleges face a very specific set of challenges.
While college leaders will no doubt have welcomed the recent announcement of £400 million in government funding, the boost comes as the first increase to base rate funding for students since 2013. It’s clear that resources have been limited and staff spread thinly as a result. This, in turn, puts pressure on colleges to deliver the day-to-day task of providing education and little time to focus on issues such as network security.
Meanwhile, the FE system has been going through a digital transformation, which means more resources like coursework and grading systems are moving online and campuses are seeing increases in the number of networked computers they have to host. But with these improvements comes risk and it’s important that security concerns are proactively addressed.
There are several reasons why FE colleges are becoming increasingly attractive to cybercriminals.
Colleges store the payroll information of dozens of staff and the sensitive personal data of sometimes thousands of students. Young people who attend colleges are often just starting to manage their own finances and might well be opening their first current accounts.
High street banks regularly attend events at colleges and careers events to encourage young people to sign up for banking services. However, they may not provide young people with the tools to recognise social engineering or phishing attacks – where hackers pose as a trustworthy entity (usually via email) to obtain sensitive information such as usernames and passwords.
Another consideration is the rise of BYOD, or "bring your own device". Every USB, smartphone or laptop has the potential to bring compromising malware into a college’s internal network infrastructure. As a result, cybercriminals will often look to target students, using them as a simple entry point into their other systems.
FE colleges also typically have very good connectivity now, since the inception of the Janet Network – a high-speed network that caters specifically for the UK’s research and education community. Lots of users and lots of bandwidth – and technically close peering relationships with other networks – provides a potentially excellent base from which a hacker could launch cyberattacks on connected institutions, be they colleges, schools or universities.
Let’s not forget that some FE institutions are also businesses, generating millions through publishing research and charging fees to students.
These organisations have treasury operations that would not look out of place in a small credit union or building society and pose a very attractive target for criminals.
When IT teams suffer from a lack of dedicated security expertise and don’t have the resources for regular security monitoring, they are often unable to implement reactive measures if something does go wrong. With these points in mind, it’s easy to see why, when measured against other types of organisations, FE colleges may appear to be a comparatively soft target.
Closer to home
A recent government-funded security analysis of cyberattacks against colleges discovered that staff and students are often more likely to be responsible for an attack than external criminals. While it’s notoriously difficult to identify cybercriminals, the analysis carried out examined the timing of 850 attacks over a one-year period and found a clear pattern suggesting the involvement of staff or students.
This will come as no surprise to many IT professionals, as student bodies are often a particularly difficult group to manage from a cyber risk perspective. The ramifications faced by students who break the rules are normally far less severe than they would be for an employee in a business, for example, whose livelihood and career progression are partly dependent on toeing the line. Given the size of FE colleges and the short window of time in which young people study there, it’s also difficult to generate the bond of loyalty, which might prevent them from acting maliciously.
While it’s not always possible to identify the exact motive behind a student attacking their college, speculation points towards young people enjoying the ‘fun’ of disruption or seeking kudos from their peers. There’s also the consideration that some students may bear a grudge against a teacher or seek to somehow alter a poor grade.
This was the case when 16-year-old Adam Mudd launched a distributed denial of service attack (DDoS) – where a network is flooded with internet traffic so that genuine users can’t access it – on his college after he felt they failed to act when he reported being mugged on campus. The computer science student was jailed for more than two years. Meanwhile, West Herts College was left footing the bill for the cost of investigating, not to mention the incalculable damage to productivity.
While in cases like this a student might consciously look to inflict damage, not all IT problems are malicious. Often, students just aren’t aware of the accidental or negligent damage they can cause and how serious the results can be for both themselves and their institution.
People are the biggest security vulnerability for any organisation. The young people who make up much of a college’s population will generally have grown up with technology and be very comfortable using it. But it’s important to remember that being tech savvy is not the same as being security savvy.
Students can often be caught-out by innocuous seeming actions like using insecure instant messaging platforms, connecting an unknowingly compromised laptop or mobile phone to campus WIFI or clicking on links in emails from unverified sources.
A college’s best tool in helping nullify cyber risk is to invest in educating staff and students on how to safeguard against an attack. It’s important to understand that mistakes will happen, and while it’s clear cybersecurity will rarely top a college’s list of priorities, taking proactive measures now will help prevent the worst-case scenario in future. Training staff and students on the importance of strong passwords and knowing how to spot common phishing attacks are examples of simple measures that can be very effective.
Colleges must work towards staff and students gaining a solid understanding of cyber threats, whether that’s through including it within the induction process or by making it easier for people to come forward if something does go wrong.
Cyber defence mechanisms should be in place especially as a lot of colleges use ‘open networks’ for students to log into. Managing these environments effectively requires a strict defence strategy, with access controls in place.
The duty of care that schools and colleges have for their students is much more encompassing than that of a business for its employees, so knowing how to protect against breaches is paramount. When an organisation’s main mission is to protect young people and provide essential learning, a disruption in service is something FE colleges simply cannot afford.
Andy Barratt is UK MD at cybersecurity consultancy Coalfire