Are universities ready for cyberattacks?

Over the last decade, post-secondary institutions across Canada have fallen prey to hackers. The attacks on the University of Regina, the University of Winnipeg, Université de Sherbrooke, and Carleton University were wake-up calls for post-secondary institutions to bolster their defences. But are they truly better equipped? And what can individuals do to protect themselves? 

Benoît Dupont is a professor of criminology at Université de Montréal and the holder of the Canada Research Chair in Cyber-resilience and the Research Chair for the Prevention of Cybercrime. He sat down to answer our questions. 

Q: Several universities have been targeted by cyberattacks, especially ransomware, in recent years. What’s the situation today? 

Benoît Dupont: Like any organization, universities are hit by different kinds of cyberattacks, including ransomware. But in contrast to organizations with structured networks and defined user roles, universities have a wide range of users and user needs that make them uniquely vulnerable.  

Universities are also vulnerable to business email compromise and spear phishing. In these “social engineering” attacks, instead of relying on hacking, scammers pose as university leaders and ask employees to transfer funds, often under the pretense of paying an invoice. This type of attack is common in universities because, compared with more traditional organizations, security controls on payments are highly decentralized.  

Universities also deal with industrial espionage and intellectual property theft targeting strategic technology, including artificial intelligence, nanotechnology, and biofabrication. 

Q: How do universities defend against these threats? 

Benoît Dupont: I think in recent years, universities have taken stock and better prepared themselves with more robust cybersecurity solutions, antivirus software, malicious email filtering, and so on. 

But whether that’s enough is another question. Universities’ culture of openness is not necessarily compatible with the kind of security culture that provides adequate protection. There is still some resistance from professors, researchers and students, as well as administrative staff, who tend to underestimate the severity of the problems cyberattacks can cause. 

Has the uptick in remote work exacerbated these vulnerabilities? 

That is part of it, though many academics were working remotely before COVID. The constant influx of new users has actually prepared universities well.  

What has the main challenge been in recent years? 

Certain attacks, like intellectual property theft, are increasingly sophisticated. Universities don’t have the budget to effectively combat them. It’s a calculated risk. Resources are calibrated to counter well-known mid-level attacks to offer widespread protection to the university community. 

How can we ensure research data is not lost or compromised in the event of a cyberattack? 

Access to data must be protected to ensure its confidentiality. Research and ethics boards do a good job of educating scholars about encrypting their data and storing it in secure clouds. The issue that remains is how to protect data that could be destroyed or made inaccessible, because it’s encrypted. It’s very risky to keep only one copy of data. The idea is to keep multiple backup copies so that data can be restored in case of an attack — in the university’s cloud, external clouds (while complying with research ethics), or offline storage. 

It’s also important to limit access to only those who truly need it. If a personal computer is infected with malware, it could create a domino effect that compromises the data. Multi-factor authentication is an inconvenience for everyone, but it’s important. Universities are increasingly making it mandatory, but sometimes people try to get around it. 

Do you have any advice for the university community? 

People are aware of what needs to be done, but for the sake of convenience, speed or comfort, it tends to be neglected. My advice is to take stock of blind spots and stay vigilant. Limit yourself to certain legitimate websites and services. Malicious sites posing as PDF conversion tools, for example, can infect computers, and we’ll see the same with counterfeit AI tools. 

What does the future hold?  

All organizations face the same threats. Unfortunately, cybersecurity is seldom prioritized because everyone thinks an attack could never happen to them. They keep thinking that way until an attack devastates their systems and brings operations to a standstill for weeks or months.  

Universities inject considerable funding into physical infrastructure because it creates community spaces, but digital infrastructure plays exactly the same role. It’s less visible to the public, but it’s just as important. It deserves greater investment. 

This interview was edited and condensed for clarity. 

Further reading 

Cybercriminalité : Approche écosystémique de l’espace numérique,  

By Benoît Dupont 

Published in 2024 by Armand Collin