#

Back to Blog

Understanding Higher Education Cybersecurity Threats to Research and IP

by | Dec 2, 2021

In today’s age of digital transformation, business-critical data, from customer information to intellectual property (IP), is an attractive target for hackers and malicious insiders alike. While enterprise and consumer data breaches dominate the headlines, intellectual property and research conducted by higher education institutions are equally at risk. Many universities work with both public and private sector research partners as a source of income and cannot afford to suffer a breach or attack on the research IP they are tasked with collecting and protecting. The impact of higher education cybersecurity breaches can be mitigated with these tips and solutions to protect research IP.

IP Theft is a Real Issue for Higher Education Cybersecurity

According to a report by IDC, higher education institutions (HEIs) are extremely vulnerable to data theft. HEI’s experienced the most instances of customer information or intellectual property stolen than any other sector: 21% compared to 16% overall.  The impact is significant; the 2020 Cost of a Data Breach Report cites the average cost of a data breach in education as £3.1m. That number does not include the reputational damage and loss of funding that can result from the theft of research IP.

Universities conducting research in collaboration with government agencies, industry and Defence are at risk from foreign and domestic threat actors who target sensitive and classified research. The impact of cybersecurity incidents targeting IP in HEIs is detailed in a Cyber Impact report from the Jisc:

  • Stolen Pencil – In 2018 Stolen Pencil (thought to have originated from North Korea) spearphishing emails were targeted at academics with a view to compromising institutional systems and IP via fake websites, lure documents and the installation of malicious Google Chrome extensions.
  • Silent Librarian – The US Dept of Justice cited a cybercrime group for hacking, wire fraud and identity theft across 2018-2019. The indictment alleged $3.4 billion worth of Intellectual Property was lost due to unauthorised access, 31.5 terabytes of academic data and IP theft from compromised universities, 7,998 compromised university accounts, 144 US and 176 non-US universities affected. This attack followed an earlier Iranian campaign between 2013 and 2017. There is also evidence of Silent Librarian credential phishing campaigns continuing throughout 2019 and 2020.
  • A 2020 ransomware attack affected one university researcher who lost their research data – though it was backed up. Days of reformatting efforts resulted, but the nature of the attack led to a further ten days of high-grade IT support due to a concern that the impact might broaden to other researchers. It did not due to their effort. Processes were tightened because of the incident.

4 Steps to Improve Higher Education Cybersecurity

While collaboration is key to research, HEIs need an accessible and secure environment to collaborate easily and effectively, in order to ensure on-time delivery and high-level research outcomes while at the same time safeguarding the IP in their care.

There are numerous steps that must be taken to holistically address and strengthen security:

  1. Conduct security awareness and training: Ensure that staff and students are aware of and know how to identify phishing scams and other forms of attack and report a potential threat.
  2. Practice good cyber hygiene: IT departments in the education sector should ensure systems are updated and patched regularly.
  3. Secure Remote Access: Ensure the right IT controls are in place to address how staff and students access systems, data, and research from both campus and from their homes – something that has become commonplace with COVID-19 lockdowns.
  4. Implement Zero Trust strategies: Zero Trust is a methodology centered around one key principle: trust nothing, validate everything – even inside the network. It relies on identity and device verification, multi-factor authentication (MFA), least privileged access and network segmentation to reduce the attack surface and limit the potential for insider threats.

Secure HEI Research and IP Collaboration Underpinned by Zero Trust Policies

archTIS provides solutions for HEIs and research partners in industry, government, and defence to collaborate securely, even those working on highly classified and PROTECTED Defence research.

archTIS solutions leverage attribute-based access control (ABAC), a security model that allows individuals to define the rules of who accesses information and under what circumstances. By dynamically measuring the attributes of the user or device and aligning it to the rules of access for the information, ABAC can be an effective way to ensure only the right people in the right context can get access to the information extending the concept of zero trust to data access.

Protecting Classified and PROTECTED Research and IP

The Kojensi platform provides the security controls needed to help HEIs comply with information protection obligations. Kojensi provides an assured and accredited SaaS solution to store, share and collaborate both internally and with supply chain, partners, and clients on information up to Australian PROTECTED. For HEIs that need multiple organisations and multiple nationality personnel to share and collaborate on documents and files, Kojensi enables the individual to set the rules for the sharing of this info – providing immediate value.

Protecting Research and IP in Microsoft Applications

archTIS can provide the same level of granular ABAC-based control for Microsoft applications with NC Protect. It offers advanced information protection across M365 apps, including SharePoint (Online and on-premises), Office, Exchange and OneDrive, enabling simple and dynamic enforcement of rules (using such attributes as organisation, device, location, sensitivity or by keyword and other metadata tags) of data. NC Protect enables simple policy-based access, usage and sharing controls and compliance enforcement for sensitive information, even in an online and cross-jurisdictional scenario like this.

If you are looking for a solution that will assist you in sharing and protecting research and IP, then reach out to the team at archTIS.

Share This