The rich data providers hold make them a target for attack and this, together with the scrutiny their data protection practices are coming under, calls for a renewed effort to address cyber risk. Getting things wrong risks significant fines under the General Data Protection Regulation (GDPR) and claims being brought against them for compensation.
The threat environment
There are a number of ways in which cyber attacks are perpetuated, and the tactics used by hackers are constantly evolving.
Ransomware attacks have grown in popularity in recent times. They involve hackers installing malicious software on to computer systems that prevent businesses carrying out everyday operations or accessing data or other assets. Businesses are prompted to make a payment to the hackers to decrypt the systems and data impacted.
Ransomware was used in the 'WannaCry' attack that crippled NHS systems in the UK, and many others throughout the world, in 2017, and it was also used in an attack against Uber, for which the company was later fined in the UK, Netherlands and France for failings under data protection law. A study published in early 2019 by researchers in Singapore, in partnership with insurance industry and academic experts, suggested that businesses around the world could be exposed to up to $166 billion in uninsured losses as a result of a major ransomware attack.
Ransomware attacks often originate from more common 'phishing' attacks, which is where hackers embed malware hidden in links or attachments generally sent by email or text message and which, when opened by recipients, enable the hackers to gain access to networks linked to the device and systems and data located therein.
Institutions in the higher education sector are perhaps more susceptible to attacks than major corporations. They have smaller IT budgets and their IT estate is often old and disparate, containing multiple points of vulnerability. Campuses too are often spread across multiple locations, and buildings can be widely accessible.
In addition, unlike staff working for major businesses who may have access to cybersecurity training, face contractual obligations and are more likely to operate more cautiously given the prevailing cyber risks, students are perhaps less aware of the risks or less bothered about the potential consequences of clicking on suspicious communications, enhancing the risk that intruders will gain access to other networked devices and data.
Generally, cyber attacks are indiscriminate. Hackers tend to aim attacks at multiple targets, not just one, and not know what specific data they might access when perpetuating attacks. Sophisticated, targeted attacks are the exception, but given the commercially sensitive information that providers could hold from research projects they are involved in, they must be aware of the risk of such attacks.
Data protection risks and scrutiny
Much of the data that providers hold will be classed as personal data. They will hold personal data on a range of back-office systems, including those specifically recording students' performance, as well as HR, finance, payroll and library systems. Strict rules on how this data should be handled are contained in the General Data Protection Regulation (GDPR).
Higher education providers, like other organisations responsible for personal data processing, are required by the GDPR to implement adequate operational and technical measures to keep that data secure.
They also have an obligation to notify personal data incidents to data protection authorities "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In this regard, ignorance is not bliss – institutions that fail to invest in technology and resources to help them identify when incidents have occurred and then claim a lack of awareness of incidents will only draw criticism from data protection authorities over the adequacy of their data security measures and open themselves up to large fines.
Data subjects impacted by the breaches must also be notified, without undue delay, where there is a high risk of damage arising to them.
Some of the personal data providers hold about students is significant to their career and life prospects and, if that data is exposed, it could lend weight to claims for compensation.
Students could seek compensation under the GDPR for damage caused to them as a result of a university's data security failings. This might include claims based on the distress caused by a cybersecurity incident compromising information pertaining to their course performance or even disciplinary matters. It is another factor that should drive cybersecurity planning and improvements at institutions.
The security of personal data that providers are responsible for has come in for recent scrutiny by the UK's Information Commissioner's Office (ICO).
The ICO issued its first ever fine against a university for a breach of data protection law in 2018 – a £120,000 penalty imposed on the University of Greenwich over a data breach.
In a more recent report, the ICO also raised concerns about other data protection practices within the higher education sector. It confirmed that it would work with Universities UK to "consider the risks arising from use of personal data by academics in a private research capacity and when they work with their own private companies or other third parties", including data sourced from social media.
How to prepare
Providers will only have a limited IT security budget, so it is vital to spend that money in the most efficient way.
Of course, technologies to help defend against attacks should be explored, but providers would be advised to focus much of their resources on detection tools – to help them quickly identify when systems have been breached – and in incident response.
Coordinating a speedy response to a major cybersecurity incident is a significant challenge for any organisation, and therefore it is vital that providers develop and thoroughly test a cyber incident response plan.
In drawing up such plans, providers will identify important internal stakeholders and external advisers needed to respond quickly and effectively to incidents. Departments such as IT security, information systems, HR, communications, legal and risk are likely to be involved. Streamlined processes and clear reporting lines should be set out in the plan to ensure incidents identified are escalated quickly.
An increasing number of insurers offer cyber insurance products. They not only provide cover against losses stemming from the likes of business interruption, cyber extortion and data loss, they also often provide policyholders with access to a wide range of external experts to help them with incident response, such as forensic IT investigators and PR and crisis management specialists.
The UK government-backed 'Cyber Essentials' scheme also offers the chance to assess and certify against industry standards on data protection and cybersecurity, and limited cyber insurance indemnities are also on offer for institutions that gain accreditation.
David McIlwaine is an expert in cyber risk at Pinsent Masons, the law firm behind Out-Law.com. Find out more about education technology in our upcoming whitepaper.