Universities are large institutions and their online databases hold a wealth of sensitive information. Colleges and universities tend to be popular targets for hackers and the threat posed to the university sector is part of the broader context of the threat to the UK as a whole. Cyber attacks can be devastating and key cyber threats to universities are likely to be criminals seeking financial gain, or nation states looking to steal personal data and intellectual property.
Cyber attacks are becoming increasingly sophisticated, so there’s never been a better time for universities to improve their online security. If you’re looking to reduce the risk of cyber attacks and help keep staff and students’ data safe, read on for our handy guide.
How do hackers target universities?
Hackers may target universities to gain access to sensitive or confidential information, including emails, bulk personal information on students and staff, technical resources or intellectual property.
Cyber attacks take several forms, which we will discuss in more detail below.
Phishing
Phishing attacks involve sending a fraudulent message, disguised as one from a credible source like your bank, university or mobile phone provider. Phishing messages are designed to trick the recipient into revealing sensitive information, or they might contain links which will deploy malicious software onto a computer or device.
Phishing attacks are incredibly common amongst universities and one survey found that as many as seven out of ten universities had been affected. Phishing attacks can result in payments to a fraudulent recipient, loss of personal information or login credentials, or harmful malware spreading throughout a university’s system.
Malware
Malware (short for malicious software) is a powerful method of cyber attack. Malware may be designed to enable the theft of information, provide the attacker with long-term access to a system, or render machines and data inaccessible, until a payment is made.
SQL injections
Also known as insertion, SQL injections are attacks designed to bypass password protections. They work by exploiting vulnerabilities in a target website’s SQL (Standard Query Language) that manages and communicates with databases.
SQL injections can trick a website and fool it into delivering code to its database as a legitimate query. Hackers can then gain access to a website’s database.
How to reduce the risk of cyber attacks
Cyber attacks can have a serious impact on universities, from financial losses to serious data security breaches. Luckily, there are plenty of ways for universities to defend themselves against cyber attacks.
Install antivirus software
Antivirus software is essential for any university if you want to protect yourself from viruses and harmful malware. There are many flexible packages available, including shared or virtual cloud based solutions.
This type of software offers professional protection against viruses and it can filter up to 99% of spam emails. This prevents phishing attacks from even reaching staff or students’ inboxes in the first place, drastically reducing the risk. Some companies, like anti spam software company MailCleaner, even offer discounts for schools or universities.
Increase staff and student awareness
Cyber attacks can be very sophisticated but you have a greater chance of protecting your institution if staff and students know what to look out for. Provide regular staff training, especially for anyone responsible for handling sensitive information. Staff and students should also be educated on phishing and how to spot a potentially fraudulent email.
Be very clear about what legitimate university emails will look like and advise students and staff to never open any links or attachments if they’re unsure. Strong passwords should also be encouraged, especially for their university email and login details.
Regular updates
Cyber criminals can exploit any vulnerabilities in your system, so make sure you’re installing regular updates. This applies to your antivirus software, your web browser, apps and operating system. Updating your systems will ensure that you’re as protected as possible all year round.
Implement access controls
Universities have a large workforce and an annual turnover of tens, or even hundreds, of thousands of students a year. This means that they naturally require a large network with many different entry points.
It’s therefore essential to create access controls limiting who can access certain information. This reduces the risk of students or staff viewing information if they’re not authorised to do so and it limits the impact of a cyber attack if a cyber criminal does manage to hack into an individual account.
Share intelligence
Cyber criminals often target multiple institutions at once, looking for any weakness that can be exploited. It’s important to communicate with other universities or colleges to discuss any threats you face and to share intelligence about how to protect against an attack.
For example, one university may have been the target of a phishing campaign; they can then share their information so that other universities know what to look out for. Universities can also share protection methods that have worked for them, or any steps they’ve taken to help them prepare against an attack.
Improve network design
Good security is essential but universities often face the challenge of establishing efficient security, without impacting the ease with which information is shared. This means that computer network design is key, to make sure that systems are protected without compromising on ease of sharing or access.
Most university networks are composed of smaller private networks which provide services for faculties, laboratories and other functions. This allows information to be shared easily, but private networks can also be more vulnerable to unauthorised access. Even so, using separate, smaller networks allows universities to separate high value or sensitive data and apply more security measures where necessary. This allows for greater protection without comprising the openness of the wider network.
Prepared statements
This is a method used to protect against SQL injections. Universities can construct their underlying databases with prepared statements to ensure that an attacker is not able to change the intent of a query. Prepared statements offer protection even if SQL commands are inserted by a cyber criminal, rendering SQL commands posing as user input data powerless.
Stored procedures
Stored procedures can have the same effect as prepared statements, with one primary difference. With stored procedures, the SQL code is defined and stored in the database itself and then called from the application. Stored procedures may not be as effective as prepared statements, but they can be if they are written and implemented correctly.
Input validation
This is another way for universities to protect themselves specifically from SQL injections. SQL attacks are designed to exploit applications and databases that do not cross-reference and validate inputted data. So, to protect against attacks, it’s important to construct a database that requires input validation. This is a tried and tested method that has been recommended by trusted industry bodies, such as Microsoft.
Anti spam software for education from MailCleaner
If you’re looking for reliable anti spam software for your school or university, get in touch with the experts at MailCleaner. The performance of our systems enables them to filter very large networks with a lot of email addresses, such as those typically used by universities. Our anti spam software offers professional protection against viruses and it can eliminate up to 99% of spam email for your peace of mind.
Worried about the cost? Don’t be – we offer large discounts for educational establishments and the price does not depend on the number of servers. Contact us today for more information about our anti spam software and to discover how we can help protect your university from cyber attacks.