In the past year, Arctic Security has formed partnerships with cybersecurity providers in education; Global Grid for Learning (GG4L) was the latest, in addition to Kovexa, with whom we have been working for a while now. These are important relationships for us, as we feel the urgency of helping education gain access to effective and affordable cybersecurity protections.
I recently read an article on University Business Online titled “3 big reasons that it’s time for higher education to crack down on cybersecurity”, which illustrates well why this is important. As I looked through this article, I was reminded of the early days of medical device security research, where my presentations were often met with sneers from the medical device community and the constant question, “Why would anyone want to hack medical devices?”
Well, it was frustrating back then, but we don’t hear that question very often anymore. The truth is that the reason anyone hacks anything is, first and foremost, curiosity. Researchers and bad actors are interested in determining if it can be done. That is normally the first step, followed by the ever-present questions of “How can I use this to create chaos?” and, ultimately, “How can I use this information to make money?”
When considering the question of chaos, there are at least two reasons for wanting to do so. One is simply because, to some people creating chaos is fun, and they like the attention. We see this in practice when we end up notifying our university subscribers that their own students are trying to find exploitable systems. The more insidious reason is because of either political motivation or some other fundamental social or anti-social behavior. There seems to be no shortage of reasons for wanting to upset the proverbial apple cart.
When considering the money-making angle of hacking, the direct one is plainly and simply for criminal financial gain. People like to take or extort money if they can. There has been a long string of successful ransom attacks against higher education, which will only make it more attractive in the future.
I think it is important to understand what are the specific motivations and specific issues that a higher learning institution faces. The aforementioned article touches on some of these, but I wish to expand on these a bit.
One reason is that higher learning institutions have money. Sometimes they have lots of money, which they receive from donors, grants, students, and however else they can. Hackers like to go where the money is. They can either figure out ways to access the systems that store and manage the money, or they can create a ransomware attack and wait for the payoff.
The problem is that whether they successfully gain the ransom or not, the target organization is severely disrupted, in some cases, driven to bankruptcy. The criminals do not care about the consequences. The only way forward is to reduce the likelihood of a ransomware attack occurring in the first place.
Another reason is that many higher learning institutions house medical records because many higher learning institutions often have associated healthcare delivery organizations or student learning centers where low-income people can get healthcare from doctors in training. Again this is a good target for ransomware.
Perhaps the most interesting reason to target higher learning, however, is because many higher learning institutions are used for research. Everything from medical devices to nuclear devices is part of the research projects found in universities worldwide, and for both intellectual property theft and for terrorist reasons, this makes them a prime target for hackers.
Last, perhaps one of the newest potential reasons why attackers would be motivated to go after a university or other higher learning center is for political revenge. Universities and colleges have long been known as places where young minds like to gather and fight for any of a number of social causes.
In the old days, the opposition was mostly limited to physical confrontations on-site with protesters in academic settings. Still, the ever-present far-reaching hands of the networked world created an unlimited reach. Those who oppose protesters may wish to slap down a higher learning institution that allows such activities. When you are against these latter kinds of adversaries, the situation is lost once they gain access; there is no bargaining opportunity for trying to reduce the damage.
Now, this is certainly not an exhaustive list. Still, it does illustrate that there are solid reasons why higher learning institutions need to take heed of the ever-growing presence of cyber attackers. Scans of networks in universities have shown us that there are many open attack vectors.
Many academic institutions have taken heed of such warnings, but the vast majority still fall short of where they need to be. At Arctic Security, we are doing our best to provide affordable ways to take action and be more secure, but in the end, it is the institutions that have to take that step forward. You can try our services for free for a month. Make cybersecurity a priority in January of 2023 and see what you could do. You can find out for yourself, and we offer significant discounts for educational institutions, so it's truly affordable.