Cybersecurity a critical need for universities—and online learners
Cyber threats are growing in scale and complexity. Athabasca University’s VP of IT and chief information officer explains how the institution is meeting the challenge.
Lincoln College is one of the oldest universities in North America. Born from the U.S. Civil War, the university survived the Great Depression, two world wars, and two global pandemics in fulfilling its academic mission to a small student population of largely Black students in rural Illinois.
The school set new enrolment records in 2019 before the bottom fell out during the pandemic, creating major financial challenges. Then in 2022, the college was targeted by cyber criminals who demanded the college pay a ransom to regain access to critical student recruitment data.
Unable to pay, Lincoln College announced in May that it would close its doors after 157 years. It wasn’t the first post-secondary in North America to fall victim to a cyberattack—and it won’t be the last, says Jennifer Schaeffer, Athabasca University’s (AU) vice-president of information technology and chief information officer.
“In today’s environment, cyber criminal behaviour is a big business,” Schaeffer explains. In fact, it’s become a highly competitive industry where criminal companies offer services such as ransomware—stealing data and forcing an organization to pay to regain access.
“In today’s environment, cyber criminal behaviour is a big business. ”– Jennifer Schaeffer, vice-president information technology and chief information officer
“They have a research and development budget, they have large staff, and they get hired to perform ransomware attacks on organizations. It is a big business from a criminal perspective.”
The Hub sat down with Schaeffer to understand why universities are such a compelling target and how AU is responding to the challenge. She also shares advice for how everyone—students, alumni, and team members alike—can take steps to protect ourselves from cyberattack.
The Hub: Why is cybersecurity something that every organization—no matter the size—should take seriously?
Jennifer Schaeffer: The reason that we all need to take it seriously is because it is absolutely prevalent. There is no organization that, on a daily basis, doesn’t get thousands, sometimes tens of thousands of attempts on computing systems. The number 1 targets for hacking and cyber crime are the passwords and credentials of employees, because that’s usually the weakest link.
These criminal organizations are able to use artificial intelligence, machine learning, and other kinds of automations to attack at a scale and an intensity that didn’t exist in the early days of the internet.
Where are these illegal operators based?
They can be everywhere. We call them external state threat actors and they fall along the same lines as the issues we have globally right now. So currently, the Western democracies and other European countries that support Ukraine are under cyberattack by organizations, either based in Russia or in affiliated countries, that have these types of ransomware and other types of hacking organizations at scale. And they are attacking the public sector, particularly government and universities in the Western democracies.
“These criminal organizations are able to use artificial intelligence, machine learning, and other kinds of automations to attack at a scale and an intensity that didn’t exist in the early days of the internet.”
Why are universities such a compelling target for attacks?
Universities built their computing networks and storage in a different time, in the early ’90s. Back then, we trusted that no one was going to try to hack the university’s research or steal intellectual property or hold university operations hostage to cyber-ransom. But today’s cyber attackers are enterprises in their own rights, and they’re valued at billions of dollars. And that industry knows it is very lucrative for them to suck up important research data, even before the intellectual property stage, and sell it to the highest bidder on the black market or use it for national R&D efforts in opposing nations.
Have the attacks increased since the start of war in Ukraine?
Yes, it has definitely escalated. Chief information officers and chief information security officers lead cybersecurity teams at research universities, and we are aligned to our provincial governments’ chief information security officers. We’re getting weekly briefs and information about new attacks from Russia. Cybersecurity information sharing is also happening at the national level.
AU makes higher learning possible for more than 40,000 students who learn online and are supported by more than 1,200 team members. Simply put, the university could not exist without access to technology. What kind of challenges does this create for preventing or countering cyber threats?
To support Imagine, the board approved RISE, our five-year digital transformation strategy that is about embracing digital technologies. Basically, the more you move forward in digital technologies, the more you always have to think about the security layers around those digital technologies and how they’re going to work.
So we created AU’s first digital security office, which includes the first chief information security officer. That team is accountable for ensuring the security of research and operations computing workloads, network and data storage in our AU cloud, as well as the applications, laptops and iPhones we provide every employee. We’ve also provided a lot of cybersecurity training opportunities to help every employee and researcher understand the importance of cybersecurity. We’ve also made training available to the general public.
Is it safer for an organization to house its IT infrastructure in the cloud?
Yes, it’s safer when you work with a robust and mature global cloud organization that is accountable for constant monitoring and improving upon your infrastructure’s security. When you have systems on premise, you have to purchase, install, patch, maintain and monitor all these layers of infrastructure security constantly. And you can imagine with the complexity of a research university’s infrastructure, software and data, that in itself is a massive cybersecurity landscape job to keep ahead of the cybercriminals attacking your infrastructure.
“They’re monitoring infrastructure threats in real-time and have abilities to recover from threats at a speed far greater in a traditional on-premise environment …”
Our strategic partner is Amazon Web Services (AWS), and when you use the cloud in this manner, all the security protocols and the encryption are built into the AWS cloud infrastructure by default. They do the cloud infrastructure maintenance and the third-party monitoring and are accountable for the infrastructure and security of the cloud. They’re monitoring infrastructure threats in real-time and have abilities to recover from threats at a speed far greater in a traditional on-premise environment at a research university, because they have sophisticated cybersecurity automated and human monitoring of their global infrastructure.
AU recently launched one of the country’s first cloud-based research initiatives, IDEA Lab, where researchers and graduate students can collaborate anytime, from anywhere. How can researchers feel confident their work and data are secure?
AU was the first Canadian university to move all university operations to the cloud in 2020 and IDEA Lab is part of the next phase of our cloud computing strategy. Having research in the cloud allows for ease of access from anywhere and the architecture is far more secure than, say, an unprotected laptop or a portable hard drive. The combined expertise of our Research Centre and our Research IT team, working closely with AWS and another partner, RONIN, is providing the secure computing network and storage for the researchers and our students that are research associates as well as training via IDEA Lab’s curriculum built with AWS Academy.