As reported by BBC, University of York leaders have launched an investigation after personal details of its staff and students were accessed during the cyber attack. The cybersecurity experts responded below on this breach.
As reported by BBC, University of York leaders have launched an investigation after personal details of its staff and students were accessed during the cyber attack. The cybersecurity experts responded below on this breach.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Universities are already struggling in the face of the challenges generated by the COVID-19 pandemic so this is more bad news for the University of York. All personally identifiable information can be valuable if it falls into the wrong hands, and in this case the PII of staff and students were stolen by hackers. While the length of time it took to notify the University is concerning, they may not have known the data had been exposed, and upon hearing the University acted fast to meet their GDPR requirements. If organisations want to remain trusted with user data, then they must prioritise security and protecting their data. If they cannot attract and retain cybersecurity professionals, then they must partner with trusted
organisations – specifically IAM Platform providers – who can support them in delivering trusted security platforms and expertise services. Attackers know that many organisations are not taking a strong enough stance when it comes to access security. Once they have a set of valid credentials, it is easy to compromise corporate applications, particularly SaaS Apps including HR Systems, File Storage Services and CRM. Users should follow security best practices for accessing their CRM and use of their online account services. I recommend taking the time to carry out a review of all your other online account, and if any of your online accounts use the same credentials including password as your Blackbaud account –change it immediately and apply-two-factor authentication where possible.
When people think about data to be stolen in a hack, most think about financial information or bank details. However, in the long run, personal information, especially of young students can prove extremely valuable to criminals who can use the information to take out loans or set up fraudulent businesses in the names of the affected individuals.
While it’s good and required that the university has informed the affected individuals, the fact that individuals were not made aware until almost 2 months after the initial breach is worrying. It gives criminals a large window of opportunity to monetise the stolen information.
Organisations paying a ransom is really troubling and highlights that many will do anything to avoid disruption to their daily operations. Our recent State of Email Security report found that the average downtime in the UK from a ransomware attack is three days, for many this time gap is unacceptable and drives organisations to pay the ransom. However, it is recommended that victims should never give in to the pressure and pay the ransom, as there is no guarantee that encryption keys will be provided. Payment also encourages cybercriminals to try their luck for more. Ransomware attacks only work because victims pay, it will only stop if organisations refuse to pay.
Our research found that 50% of UK organisations have been impacted by ransomware attacks in the last year, and as long as organisations continue to pay, attackers will view this attack approach as being financially viable. It would have cost a lot less if the organisation had invested properly in its cyber resilience before the attack took place, as it is entirely possible they would have been able to recover to business as usual without paying. These criminals and others now know that this organisation is a target that pays and there is a significantly increased likelihood of further attacks if no significant cyber-resiliency changes are implemented quickly.
To minimise the threat of ransomware attacks, organisations must implement adequate resiliency measures to preserve business-as-usual should the worst happen. Non-networked backups and a fallback email and archiving process need to become standard security measures if organisations are to significantly mitigate ransomware threats. Individual users can also assist greatly by being aware of the potential for unsafe attachments,but should also be wary of clicking any email links received in any communication, as criminals are increasingly utilising URL links rather than file-based attachments to infect networks.
Breaches often happen through a security failure at a supply chain partner, three or four levels removed from your own organisation. Universities have complex digital ecosystems, with student and staff data potentially flowing through thousands of different technologies – many of which may not be visible. No matter how good your own network security, someone else may lose your data and bad actors are ready to exploit this, that’s why you need to be securing your data, not just your network.
All organisations in a digital supply chain are generally businesses with their own supply chain – it is critical that they enforce security standards with their own suppliers, require ISO certification, set mandatory requirements for data processing. In particular, after the recent European Court of Justice ruling, organisations should be more vigilant with any suppliers relying on the European Privacy Shield as a protective standard.
Educational organisations continue to be targeted for cyberattacks. Unfortunately, the sprawling nature of a university – with all their separate faculties and facilities – and the inevitable movement of data between departments makes IT administration and security challenging to implement and maintain. Additionally, universities contain a wealth of valuable intellectual property which can be valuable to hackers, especially those acting on behalf of governments.
To mitigate future attacks, IT teams must properly audit all machines connected to their networks and the data they hold. Security awareness training should be implemented for staff and students from day one, ensuring that they are vigilant in scrutinising the types of emails they receive. This should be underpinned by cybersecurity technology such as email filtering, anti-virus protection, and sensible password policies.
A tricky issue is that precious data is on individual students’ laptops/desktops as well as university servers, and the monitoring of access and the massive benefit of stolen credentials pose real difficulties for the IT departments – a highly tied-down environment doesn’t match with the knowledge sharing culture of universities.