Cyber-attacks on Australian universities soar amidst pandemic

Published 16 Nov 2020

Ransomware attacks increased during the pandemic in both volume and severity. The average ransom payment increased by 60% during the second quarter of 2020, with each attack leading to an average of 16 days of downtime. With their wealth of personal information and intellectual property in the form of valuable research data, cyber risks for universities and higher education institutions have become a growing concern, with the education sector being prime targets for cyber-attackers.

Cyber risk landscape for higher education

In 2019 alone, 89 universities, colleges, and school districts in the US were hit by ransomware attacks. Locally, a well-publicised example of a cyber-attack in the higher education sector is the attack on the Australian National University (ANU) in Canberra which led to 19 years’ worth of data being compromised, in what was labelled an “Ocean’s Eleven” style attack.[1] The post-breach report published by ANU showed that the hackers operated as a highly sophisticated unit, gaining initial access in late 2018 through a single phishing email, with their intrusion only being detected months later.[2]

Over the past few months, there have been multiple attacks on universities and higher education institutions across the US, with claims trends for the first half of 2020 remaining in line with those for the same period last year. Universities in Auckland and Otago were victims of a cyber security breach this year, linked to an attack against technology firm Blackbaud, which store information on their behalf. In the UK, a report published in July by cybersecurity firm Redscan found that more than 50% of UK universities experienced a data breach in the previous 12 months.[3]

Pandemic expands cyber risk profile

The ongoing COVID-19 pandemic has only aggravated this risk. As universities and other higher education institutions sought to protect students and staff by moving to a mostly remote working and learning environment, this has consequently increased potential cyber risk during the pandemic. Data vulnerabilities increased and potential attack footprints expanded, creating new points of entry for cyber adversaries.

As noted above, the nature of higher education institutions make them prime targets for cyber-attacks. This is because universities and colleges:

  • Produce valuable research, often in cooperation with private entities, with a potentially high economic payoff. These include efforts by university-based researchers to help develop treatments and vaccines for COVID-19.
  • Retain valuable personal data, including credit card numbers and medical information pertaining to students — both current and former — and staff. There are 1.5 million enrolled students across Australian universities, and the sector employs over 130,000 full-time equivalent staff.[4]
  • Use open learning environments, where information is shared among stakeholders and highly visible or symbolic figures are present, which can lead to increased threat activity from cyber activists seeking to disrupt operations for political purposes.

Time to act is now

Cyber risk is intensifying for education institutions at a time when the insurance market is changing. The marketplace has sought to clarify how property and casualty policies might respond to a cyber-event, with some insurers taking the position that policies must expressly include or exclude cyber coverage in order to apply, which could leave schools with dangerous gaps in coverage. It is thus essential for risk managers to review their existing policies with insurers or brokers to identify — and rectify — any such gaps.

It is critical for all higher education institutions to take a collaborative approach to address cyber risk. Risk management and information security departments must work together to train employees, regularly review security policies, develop incident response plans, and conduct real-time tabletop exercises, among other measures. Before a cyber incident takes place, education risk professionals must ensure they have the necessary resources to respond quickly and effectively.

As the pandemic continues to affect individuals around the world, universities and higher education institutions’ primary focus remains the health and safety of their students and faculty. However, the confluence of traditional and new risks make this the right time to review your cyber resilience capabilities. The impact of not addressing key security vulnerabilities can have significant financial and reputational effects in the event of a cyber-attack. It is vital that higher education institutions invest in understanding their cyber risks, and implement effective methods to mitigate both current and emerging cyber threats.

To better understand, manage and measure your organisation's cyber risks and prepare for 2021, please join us at the Marsh Cyber Risk Masterclass (16 Nov – 4 Dec).

LCPA:  20/608



Placeholder for Right rail bio component

language: en_us

lastname: Salgado

image: /content/dam/marsh/Imagery/Headshots/People-Portrait/kristine-salgado-portrait.jpg

title: Managing Principal – Cyber, Pacific - Marsh

firstname: Kristine

squareimage: /content/dam/marsh/Imagery/Headshots/People-Square/kristine-salgado-square.jpg

textIsRich: true

shorttitle: Managing Principal – Cyber, Pacific - Marsh

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.”