Cybersecurity in Tertiary Education: A Growing Concern
When considering industries vulnerable to cybercriminal activities, tertiary education may not immediately come to mind. However, the latest edition of Microsoft’s Cyber Signals report reveals a startling reality: education was the third most targeted industry in the second quarter of this year. The combination of valuable data and inherent vulnerabilities within educational systems has attracted various attackers, from those employing sophisticated malware techniques to nation-state actors engaged in traditional espionage.
The African Context: A Hotbed for Cyberattacks
This issue is particularly pressing for tertiary institutions in Africa, which have become prime targets for cybercriminals. A recent study of 60 Kenyan universities indicated that most of these institutions were experiencing hacks, compounded by a lack of adequate cybersecurity policies and controls. This includes deficiencies in organizational, human, physical, and technological resources.
For instance, last year, a prominent Moroccan institution faced a significant security breach involving its master’s degree nomination platform, while a private university in Nigeria had its website completely compromised by hackers. Such incidents underscore the urgent need for enhanced cybersecurity measures in the education sector.
The Scale of the Threat
The Cyber Signals report highlights the alarming scale of cyber threats targeting educational institutions. In the past year alone, more than 15,000 emails containing malicious QR codes were sent daily to the sector using Microsoft Office 365 email. This statistic illustrates the targeted and persistent nature of these threats, emphasizing the need for institutions to adopt robust cybersecurity strategies.
Why Are Educational Institutions Targeted?
Several factors contribute to the education sector’s vulnerability to cyberattacks. Unlike typical enterprises, universities host a diverse group of users, including students, faculty, and administrative staff. The open and dynamic nature of university environments, characterized by frequent activities and a mix of international students, makes them particularly susceptible to cyber threats.
Moreover, the email systems used in educational institutions often create wide avenues for compromise. The necessity for accessibility—allowing alumni, donors, and external collaborators to communicate freely—means that universities may be more relaxed about email security. This combination of openness and insufficient controls renders them prime targets for cybercriminals.
The Impact of Remote Learning
The shift to virtual and remote learning has further complicated the cybersecurity landscape. Educational applications now extend into homes and offices, where personal and shared devices—often unmanaged—are prevalent. Students, who may not be well-versed in cybersecurity best practices, can inadvertently expose their devices to risks, creating additional vulnerabilities within the educational ecosystem.
Legacy Infrastructure: A Double-Edged Sword
Many tertiary education institutions grapple with legacy infrastructure, which leaves them exposed to cyber threats. Funding and operational challenges often mean that cutting-edge digital classrooms must coexist with outdated applications and IT assets. This patchwork of systems complicates the management and safeguarding of sensitive data, particularly when institutions struggle to retain cybersecurity experts on staff.
The Allure of Intellectual Property
Nation-state actors are particularly interested in the valuable intellectual property and high-level connections that universities possess. Cybercriminals recognize that educational institutions handle sensitive, regulated information while needing to remain open and accessible, making them attractive targets for ransomware and extortion. For example, hackers may initially target individuals in the education sector with ties to defense organizations, using that access to launch more convincing phishing attacks on higher-value targets.
Strengthening Cybersecurity Measures
Given the increasing threats, it is crucial for educational institutions to introduce a strong security curriculum. While enhancing security measures can be daunting and costly, there are practical steps that schools can take to protect themselves.
-
Understanding the Threat Landscape: A clear understanding of the current threat environment is essential. Reports like Cyber Signals serve as invaluable resources for chief information security officers and their teams, helping them refine technologies, policies, and processes.
-
Promoting Cyber Hygiene: Maintaining strong cyber hygiene is vital. Raising awareness of security risks and promoting good practices among students, faculty, staff, and administrators can foster a safer environment.
-
Centralizing Technology: IT and security professionals in education should consider centralizing their tech setups to monitor activities more effectively and identify vulnerabilities more easily.
-
Implementing Protective Measures: The Cyber Signals report recommends using protective domain name services to block access to harmful websites and enforcing strong passwords along with multifactor authentication to prevent password spray attacks.
-
Leveraging AI Tools: For under-resourced IT teams, tools like Microsoft Copilot for Security can significantly enhance the efficiency and capabilities of security defenders, allowing them to improve security outcomes at machine speed and scale.
- Educating the Community: Universities should prioritize teaching students and staff about good security habits, encouraging the use of multifactor authentication or passwordless options. According to the report, accounts with multifactor authentication are over 99.9% less likely to be hacked.
Conclusion: Building a Culture of Security
By implementing stronger defenses and proactive measures, universities can better equip themselves to fend off the increasing threats to their sensitive data and groundbreaking research. Building a solid security posture is not solely about technology; it also involves fostering a vigilant culture prepared to manage potential attacks. Investing in these measures now will safeguard valuable assets and ensure that critical educational work continues without disruption.
As the Country Director of Microsoft Nigeria, I emphasize that the time to act is now. The future of our educational institutions depends on our ability to adapt and respond to the evolving landscape of cyber threats.