Analysis
Information Sharing in Cyber Supply Chain Risk Management – A New Model
The 2023 Cybersecurity Breaches Survey revealed that 85% of UK universities have experienced some form of data breach, highlighting the growing cyber security risks faced by higher education institutions.
According to a recent government review, these institutions are considered "vulnerable" and are increasingly "targeted" by hostile states, particularly China. As a result, university leaders have received security service Cobra briefings to address these threats. The Deputy Prime Minister, Oliver Dowden, emphasised the need to balance academic freedom with national security concerns.
Just as for financial institutions, Third-Party Risk Management (TPRM) has become a vital part of the strategy for protecting student, staff, and sensitive research data as well as university systems from cyber threats.
Here, we explore the importance of TPRM in the higher education sector and provide practical guidance for implementing effective measures to ensure the protection and security of institutional and personal data from potentially malicious actors.
Cyber security has become a pressing concern for universities within the United Kingdom, and TPRM has a vital part to play in the strategy to address the unique challenges faced by these institutions. Several factors have contributed to the heightened urgency of implementing solid TPRM programmes in the higher education sector in recent years.
With escalating geopolitical tensions and the rise of state-sponsored cyber threats, universities have become prime targets for adversaries seeking to gain unauthorised access to valuable research data, intellectual property, and sensitive information.
Nation-state actors may attempt to exploit vulnerabilities in university systems to steal proprietary research, disrupt operations, or conduct cyber espionage activities.
Universities face unique challenges regarding cyber security due to their open and collaborative nature and the rolling number of individuals having access to their systems.
With thousands of students, faculty, and staff members using university networks and resources, the attack surface is significantly larger than for many other organisations. This increased exposure, coupled with the variety of devices and software used, makes universities more vulnerable to cyber threats.
Thus, it is essential that universities and the UK government adopt an institutional-level approach to protecting these institutions and their valuable data.
One of the primary concerns for universities should be the potential vulnerabilities in universities’ vast ecosystem of third-party suppliers and vendors.
Educational institutions often rely on numerous external partners for various services, including:
However, many universities lack effective TPRM programmes, leaving them exposed to risks introduced by these external relationships to their systems and data.
Universities possess a wealth of sensitive data that is valuable to cyber criminals and nation-state actors. Different types of data that exist include:
Educational institutions collect and store personal data on their students, including names, addresses, phone numbers, email addresses, health as well as financial information such as student loan details or tuition payment records.
If compromised, cyber criminals could exploit this data for identity theft, fraud, or other malicious activities. Moreover, sensitive information relating to academic records, disciplinary actions, and in particular health records could also be targeted, leading to potential privacy violations and legal consequences.
Like student data, universities maintain personal and financial information about their employees, including faculty, administrators, and support staff. This data often includes sensitive details such as social security numbers, banking information, and employment records.
A breach of staff data could lead to identity theft, financial fraud, or even extortion attempts targeting employees.
Many universities conduct groundbreaking research in various fields, including science, technology, medicine, and engineering, some of which is not only of potential commercial interest, but could also have sensitive national security implications, think for example of sensitive research in bioscience or virology.
This research data holds immense value and could be targeted by corporate competitors, foreign governments, or other malicious actors seeking to gain an unfair advantage or steal proprietary information.
The theft or misuse of research data could compromise years of intellectual property and undermine the competitive edge of universities and their partners.
Beyond research data, universities generate valuable intellectual property through research and academia.
This includes patents, copyrights, trade secrets, and other proprietary information. Cyber criminals can profit financially if they successfully steal such information, or nation-states could use it to advance their own technological capabilities, posing significant risks to universities' competitiveness and reputation.
Like any organisation, including energy providers and medical centres, universities handle sensitive financial data, including payroll information, budgets, donor records, and investment portfolios. A breach of this data could lead to financial losses, reputational damage, and legal implications. Cybercriminals may seek to exploit financial records for fraud, extortion, or other illicit activities.
Implementing a comprehensive TPRM programme is vital for universities to mitigate the risks associated with third-party suppliers and vendors. Here are some strategies to consider:
Let's examine some real-world case studies to better understand the impact of supply chain attacks in higher education. These data breaches serve as stark reminders of the far-reaching consequences of a single compromised vendor or third-party partner.
In 2020, a significant data breach occurred at Blackbaud, a cloud-based software provider widely used by educational institutions for fundraising and alumni management.
Over 20 UK universities, including the University of Birmingham, De Montfort University, and the University of Exeter, were impacted by this incident. Cyber criminals targeted Blackbaud's systems, compromising sensitive personal data of students, alumni, and donors held by these institutions.
This breach highlighted the ripple effect a single vendor's security lapse can have on numerous universities, emphasising the urgent need for comprehensive TPRM measures to secure universities’ corporate supply chains.
In 2018, the University of Greenwich fell victim to a cyber security breach that exposed the sensitive data of nearly 20,000 individuals, including students, staff, and alumni.
Hackers exploited an unsecured microsite hosted by a third-party vendor, gaining unauthorised access to personal information such as names, addresses, and phone numbers.
In particular, this incident underscored the importance of proactive TPRM practices, as the University was fined £120,000 by the ICO for “ not having the appropriate technical and organisational measures in place for ensuring security.”
Risk Ledger, a leading provider of TPRM solutions, offers a comprehensive platform designed to help higher education institutions effectively manage and mitigate third-party risks.
Through Risk Ledger's solutions, higher education institutions can gain greater visibility into their third-party ecosystem, identify and address potential vulnerabilities, and ultimately enhance the protection of sensitive data and critical systems.
By prioritising TPRM and securing their corporate supply chain, universities can safeguard student data, protect intellectual property, and maintain the trust and reputation of their esteemed institutions in an ever-evolving cyber security landscape.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
