On a recent late Friday afternoon at Brock University, an administrative assistant received a phone call from someone identifying himself as being from Microsoft tech support. The caller alerted her to unusual activity on her PC and asked her to download an app so he could control her computer and solve the problem. After doing so, she noticed the cursor moving erratically around her screen, but to little effect. The reason? The administrative assistant wasn’t using a PC, but an iMac. It quickly became clear the person on the phone wasn’t a Microsoft rep, but a cybercriminal trying to hack her computer.
“Luckily, nothing happened, because the person couldn’t figure out how to navigate her computer. Also, another person in the office overheard the conversation, figured out something was wrong, and ran over and unplugged her computer. … It could have turned out to be a really nasty event,” said David Cullum, Brock’s associate vice-president, information technology services.
As unsettling as the Brock incident was, it was hardly novel. Mr. Cullum said, each day, the university wards off thousands of attempted cyberattacks – mostly efforts to breach its computer network’s security firewall, but more and more attacks are of the personal-contact variety described above.
With that in mind, last spring, Brock joined with four other Ontario universities – Queen’s, Wilfrid Laurier, Laurentian and OCAD U – and three community colleges to recruit a shared chief information security officer, or CISO. The schools partnered on the hire with the non-profit organization ORION, which provides high-speed fibre-optic connectivity services to Ontario’s education, research and health-care institutions. In this two-year pilot project, the CISO is helping the schools assess their cybersecurity practices and better defend their digital networks.
“The institutions didn’t have the human or financial resources to address information security properly. They wanted leadership on this issue, someone to offer guidance and develop a comprehensive solution,” said Farooq Naiyer, a seasoned IT security and compliance professional who was hired to the new post. ORION is sharing the cost of the new position. “A lot of the decision came down to budget and resources, as it often does … so working together makes our lives easier,” Mr. Cullum said.
The participants also understand that, to deal with the growing increase in both the volume and sophistication of cyberattacks, working in silos won’t cut it. Through this collaborative approach, the top information technology executives at each of the schools can share information about effective cybersecurity strategies, tactics and tools. “None of us is an island. We’re all dealing with the same security issues, so we can all learn from each other,” said Nela Petkovic, chief information officer at Wilfrid Laurier University.
Mr. Naiyer said the higher education sector can be especially vulnerable to cyberattacks. With their large populations with varying degrees of internet security smarts, postsecondary schools have relatively weaker defenses. Particularly problematic is the annual change in the population of students, most of whom bring to school internet-enabled devicesinfections to a school’s Wi-Fi network. Also, the vast amount of research data housed on their computer networks make schools appealing targets for stealing intellectual property. Plus, information security policies are often relaxed about letting researchers share data with collaborators, and these more-open networks are more vulnerable to attacks.
Mr. Naiyer’s first step was getting the schools to assess their current information security strengths and weaknesses. He used the resulting data to create a roadmap for each school outlining key IT security actions to take and milestones to achieve. He is now developing a framework of cybersecurity best practices, which the schools can use to create customized policies and processes that suit their institution’s size, budget and human resources.
There has been a long list of reported cyberattacks against universities over the past couple of years, including a security breach at the University of Alberta in late 2016, a cyber-terrorism incident involving a student at Université de Moncton this past spring, hacked student information at the University of the Fraser Valley in October and a recent phishing scam at Carleton University. As well, the University of Calgary paid a $20,000 ransom in 2016 to retrieve information following a cyberattack, and this past summer MacEwan University was defrauded of nearly $12 million after falling victim to a cyber-scam.
“With all the breaches happening left, right and centre, the threat of cybersecurity is not going to stop, it will only intensify,” said Mr. Naiyer. “My goal is to help these schools develop the infrastructure to respond to threats in timely manner so they can minimize their impact.”
One Chief Information Security Officer (CISO) for 8 universities is not enough. Each university should have their own security chief. For a CISO to be effective, he/she needs to be able to influence the culture of the university’s environment, know who manages infrastructures, networks. Has this ‘good idea’ really been thought out?