Why academic institutions are at risk of cyber attacks, and the library’s role in cyber security and risk assessment

We live in an increasingly interconnected world. While this gives us the advantages to access information and resources from any device in almost any location, it also makes our networks vulnerable to cyberattacks.

And the pace of cyberattacks is increasing. Statistically, a ransomware attack occurs every eight minutes. Not only companies in the field of telecommunication or financial services are the target of criminals. In the past years a number of academic institutions worldwide have been confronted with ransomware attacks, stealing personal information from university students and employees, such as addresses, phone numbers, social security numbers, academic progress reports and financial documents. In some cases, this data then gets posted on the dark web where it can be used for criminal activities.

Thirty years ago, libraries were not as connected to the rest of the university as they are now, explains Alan Brill, senior managing director in the Cyber Risk practice of Kroll, and a fellow of the Kroll Institute. Libraries used to be semi-autonomous, they used systems that just worked in the library setting. Now everything is interconnected and students can reach the library through the university network. At the same time the library can reach out to students, faculty, staff and other libraries, all through a network. This interconnectedness between the library and the institutions is being exploited by cyber criminals. 

According to the Scholarly Networks Security Initiative the higher education sector in particularly is facing cyberattacks due to the large amount of personal and research data that universities and library systems store routinely. A report published by the National Cyber Security Centre shows that the university sector was the third most vulnerable to cyberattack.

So how can academic institutions protect themselves from these attacks? 

Usually the risk of a cyberattack is not focused on one department but it exists across the whole organization. This means that every part of the organization has to have an awareness of security, says Brill. So for example, if you have a bookstore on campus that offers credit and debit card payments, it is important, that they follow payment card industry standards. Or if the campus has a healthcare facility, the university needs to make sure, that this data is stored securely, explains Brill. He points out that this is also true for libraries for whom information is at the center of their work. Libraries have to take the responsibility for securing their parts of the system, and be an active participant in the overall cybersecurity strategy.

According to Brill, when operationalizing cybersecurity, there is a deep intertwining between the elements. The library knows the information that it wants and it understands how that information should be appropriately distributed. The IT department will then, based on the library’s instructions, make sure only people that are part of the university’s network are given access to resources.

However, the IT department will need to authenticate who is out there and determine what their characteristics are. It can then pass along this information to the library, for the library systems to make the decision on whether to grant or deny access to specific parts of the library. 

At the same time, according to Brill it is important, that the administration, registrar’s office, faculty and library staff, all do their part to achieve strong, pre-emptive cybersecurity. Cyber responsibilities should not be siloed off to the IT or risk management departments.

But why are academic institutions being targeted by cyber criminals?

One of the reasons is that universities and colleges have libraries with huge amounts of non-public research information. Criminals can get into a research network and see what's going on, what's being tested and how are those tests going. Not only is this kind of data useful to governments for espionage, but it also has an economic value, explains Brill. Let’s say for example researchers are working on a drug trial. Criminals entering the institution’s network will be able to see if the trial is going well or not and this information could be used for insider trading.

In summary, universities are targets for cyberattacks because their data is vulnerable and valuable. Not only does the personal data of student and staff that universities hold provide opportunities for ransom attacks, on top of that latest research findings can become a target for international espionage. That’s why it is vital for academic institutions to provide resources to cybersecurity and protect themselves from potential attacks.

We invite you to explore Springer Nature’s resources to support the Library’s role in Cybersecurity and Risk Assessment and to listen to Alan Brill’s podcast series on this important topic here.