5 minute read 22 Jan. 2020
Photographic image of screen reflecting on person's glasses

Cyber threats to education sector jeopardise valuable research

By Catherine Friday

EY Oceania Managing Partner, Government and Health Sciences; EY Global Education Leader

Improving how governments work and deliver services. Mustang owner. Keen horse rider. Average but enthusiastic skier.

5 minute read 22 Jan. 2020

What do you do when your strengths are also your weaknesses?

Digital transformation and disruptive technologies are transforming the modern learning environment, amplifying academia’s open culture of free-flowing ideas and information. Although this has led to positive advancements, the recent Australian National University and Australian Catholic University hacks illustrate the risks associated with the increasingly interconnected nature of information technology systems and the internet. As the number of malicious cyber actors continue to increase and their capabilities proliferate, a strategic approach is required to address the growing cyber security risks.

The education sector’s threat profile is growing. International intelligence agencies have long warned that education is the next target for state-sponsored and sophisticated hacks. Their complex ICT footprints provide ample opportunity to compromise systems, and the wealth of valuable personal information, as well as intellectual property, advanced research and technology innovations offer significant incentives to a broad range of malicious cyber actors. According to Dimension Data and NTT Security, the education sector was one of the most targeted sectors for cyberattacks in Australia during 2017, accounting for 26% of all attacks. Across the Asia-Pacific region, this proportion of attacks increases to an estimated 57%.1.

Educational institutes are not only vital for the prosperity of this country through their economical and research contributions, they are also a key to bridging the skill gap in the cyber security profession
Glen Gooding
EY Oceania Cyber Security Partner, Report Co-author

Academia is targeted by both state-sponsored and criminal cyber actors. Expensive and innovative research appeals to state-sponsored advanced persistent threat actors, offering a cost-effective way to access cutting edge research that often provides dual-purpose economic and defence strategic advantage. Cyber criminals are attracted to the financial gain from impacting the confidentiality, integrity and accessibility of the vast amounts of personal information on present and past students and faculty, their open and expansive networks and their heavy reliance on IT systems to function.

In addition to purely cyber-borne threats, Australian universities are the target of foreign interference campaigns. The Department of Education has established the University Foreign Interference Task Force to address this threat. Whether influencing universities to end politically embarrassing humanities research, coercing language and cultural organisations to adopt more amenable ideologies or gaining access to advanced dual-purpose research – insider threats pose a significant risk and technical exfiltration of data by insider threats from university systems is a very real concern.

Cyberattacks during 2017


The education sector was one of the most targeted sectors in Australia, accounting for 26% of all attacks.

Get the full report

Authored by EY Oceania Partner Glen Gooding, EY Oceania Partner Catherine Friday and EY Oceania Senior Manager, Manal Alsharif, the report contains EY's latest analysis on cyber attacks and the education sector.


Case Study: The lessons learned from the ANU hack

In June 2018, ANU discovered they had a security breach that involved the threat actors gaining access to a variety of personal information such as contact information, birth dates, tax identifying information, payroll information, bank account details and raw student academic records. Shortly after the announcement of the breach, the university courageously released a comprehensive report to the public.

According to the report, the university’s cyber security system was complex enough, but the systems leveraged in the attack were outdated and the actors were persistent.
The initial understanding of the ANU attack and the university’s report seem to link the cause of the cyberattack to common factors witnessed in educational institutes such as failing to do the following:

  • Patch and retire legacy systems.
  • Segment the network, separating external facing systems, legacy systems, the IT management network and the general user population.
  • Build a mature cyber incident detection and response capability.
  • Fully roll out multifactor authentication (MFA) for externally facing systems and privileged accounts.
  • Tune email filtering technology to block a vector attack.


There is a focus on increasing cyber regulatory measures to protect education institutions. Poor IT controls increase the risk of inappropriate access, cyber security attacks, data manipulation and misuse of information security policies, so it is important to understand these organisational weaknesses. 

Five guiding principles

 1. Protect what matters most
In an environment such as the education sector where there is so much to protect, leadership must focus on securing the information and assets that have the biggest impact on their business’ mission.

2. Manage cybersecurity risk at the right level
Confirm that the institution takes a whole-of-organisation approach to cyber security, with operating units understanding their roles.

3. Provide the right access at the right time
By simplifying access processes for the user base, educational institutions can provide a better user experience and more easily identify unauthorised users.

4. Recover quickly and securely
From IT professionals with hands on keyboards to the university’s senior management and Senate, it is essential that educational institutions know what to do when a cyber incident occurs.

5. Practice proactive cyber security
Proactive security combines traditional security defences and a strong security foundation with realtime monitoring and intelligence-led data to predict security events.

Find out about more about a cyber security approach for leadership in education.

Download the full report


When it comes to network compromise, it is no longer a question of if, but when. At its core, cyber security seeks to reduce vulnerabilities and build capacity to identify and respond to these incidents. Although a cyber security program cannot guarantee absolute security, it will provide the capability to manage the impact of such malicious cyber incidents and enable the reduction of harm to reputation, manage the impact of such malicious cyber incidents and reduce the reputational harm to the institution due to the compromise of the confidentiality, integrity, or availability of systems or data.

About this article

By Catherine Friday

EY Oceania Managing Partner, Government and Health Sciences; EY Global Education Leader

Improving how governments work and deliver services. Mustang owner. Keen horse rider. Average but enthusiastic skier.