COVID-19 brings new cyber-security threats to universities

Wagdy Sawahel 08 June 2020

The rapid move to online teaching and learning as a means to curtail the spread of COVID-19 has exposed African universities to greater risk of cyber-crime, according to a number of experts.

Last month, a report by cloud-based email management firm Mimecast indicated there had been an increase in cyber-attacks in the first quarter of 2020 across the world, including Sub-Saharan Africa as well as the Middle East and North Africa regions.

Besides the detection of more than 60,000 fake COVID-19 websites designed to steal information, Mimecast found that the monthly volume of all types of cyber-attacks had increased by 33% between January and the end of March 2020. Overall, detections were up by a third.

Exploiting confusion

“Given the efforts by governments to address the COVID-19 public health crisis across the globe in their attempts to contain the spread of COVID-19, it is almost certain threat actors and criminals will continue to exploit this resulting confusion, and there will be an increase in the observed cyber-attack methodologies against vulnerable targets,” the Mimecast report said.

Cameroonian cyber-security researcher Tomslin Samme-Nlar confirmed that the rush to move to online platforms had introduced “vulnerabilities” to African universities using learning management systems.

“Shifting to full online learning means more personal and research sensitive data is now available online, with many more access attempts from various devices,” said Samme-Nlar, who is the author of a recently published article entitled “Cyberspace security in Africa – Where do we stand?”.

“Without proper protection, it leaves the learning management systems susceptible to denial-of-service attacks. In addition, the involvement of African universities and institutions in coronavirus research makes them a target by nation state actors interested in gaining access to that information.”

Munir Njenga, a Kenya-based information security consultant, told University World News the rapid switch to online education platforms to facilitate distance learning and research on the coronavirus made African higher education institutions and their associated university hospitals and medical research centres targets of cyber-attacks using malicious domains as well as data-harvesting and disruptive malware along with online scams and phishing.

“This sudden virtual move has led to a lot of exposure,” he said. While previously a small attack footprint was available and higher education institutions relied on internal controls to secure the organisation, Njenga said the pandemic had forced African universities to adopt unfamiliar technology and realign processes “on the fly” with limited time to assess risks.

“A good example of a recent exposure is the attacks on the Zoom platform used by most African universities to conduct training or remote consultations. Arbitrary users could hijack those meetings,” Njenga said.

Lack of training

KnowBe4, a security awareness training and simulated phishing platform, has reported a 600% increase in phishing email attacks related to COVID-19 in the first quarter of this year.

Anna Collard, managing director of KnowBe4 Africa based in South Africa, told University World News that in addition to a lack of planning, the rapid move to online platforms had meant a lack of training on the potential risks to both institutions and learners alike.

“The majority of university lecturers are not properly trained in ICT or knowledgeable enough to assist the learners in cyber safety,” Collard said.

“Higher education institutions face challenges such as protecting their open networks, managing devices they don’t have control over as well as external threat actors and protecting their sensitive data,” Collard said.

She said the industry and governments should be doing more to raise the awareness of the risks and the potential impact of cyber-security threats.

Higher education institutions themselves also need to do more to raise the security awareness level of both staff and students. “End users should be exposed to frequent and ongoing phishing simulation and training exercises to raise their vigilance. Especially now with home schooling and staff working from home, end users have become even more vulnerable,” she said.

Collard said while the technical challenges facing African universities are similar to those facing large institutions across the globe, African countries often lack legal cyber-security frameworks, which “provide a safe haven to cyber-crime, a serious shortage of security professionals on the African continent and a relatively low degree of public awareness with regards to cyber-security”.

Samme-Nlar agreed, but said African universities should move towards protecting their institutions, brands, intellectual property and people from cyber-attacks, even in the absence of government regulations and policies.

“IT infrastructure is not given the importance it is due; little or no budgets are allocated for security and there is no legislation requiring such protections from sectors considered critical to the economy,” Samme-Nlar said.

“Where there are indeed national cyber-security strategies and policies written, they are not implemented.

“To put it in perspective: Kenya, which is considered ahead in cyber-security in Africa, enacted a Data Protection Act (DPA) which came into effect in November 2019. The act provides for the establishment of the Office of the Data Commissioner to oversee the implementation of and undertake the responsibility for enforcement of the DPA, but there is no Data Commissioner appointed yet in Kenya.”

Not a priority

“It is also common knowledge that African higher education institutions do not have large budgets to spend on IT infrastructure protection. This, and the general lack of cyber-security legislation and policy in Africa, means they will be seen as easy targets.”

However, universities needed to understand the solutions available and align their organisational processes accordingly, he said.

Ifeanyi McWilliams Nsofor, director of policy and advocacy for Nigeria Health Watch, told University World News that despite their cost, investment in “the latest state-of-the-art cyber-security software to ensure safety of data and information of students and faculty” would pay off in the longer term.

“As teaching and patient consultations take place remotely, no amount of investments in antivirus, anti-spamware and cloud security is too much because they are cost-effective in the long term,” he said.

Abdul-Hakeem Ajijola, chair of the African Union Cyber Security Expert Group, told University World News the situation required “organisational readiness, situational awareness, cyber defence, detection, mitigation and containment topped by recovery strategies”.

In dealing with the issue, experts tend to agree that awareness is crucial, particularly as more people are working from home: “One key way for African universities to protect themselves from cyber-attacks is by creating awareness among users … because security has shifted from being innate to the university’s environment and is now partially shared with staff and students working from home in an environment that the universities do not control,” said Njenga.

According to Nader Sohrabi Safa, lecturer at the school of computing, electronics and mathematics of Coventry University in the United Kingdom and former researcher at the Centre for Research in Information and Cyber Security at Nelson Mandela University in South Africa, social media could be an effective way to raise the awareness needed to help in the fight against cyber-crime.

“A remarkable number of individuals in our society spend a significant portion of their daily time on social networks which influence people’s attitude and behaviour. We can use social networks to increase information security awareness.”

Receive email updates from UWN

Global newsletters    Africa newsletters    Other
    (other includes related events and webinars)

Data will be processed according to our standard terms & conditions.

Sponsored Article

Why we need to inspire more women to go into STEM and AI

Jessica Silwick

The fast-changing developments in artificial intelligence are threatening to disrupt many economic and professional sectors worldwide and the field of AI is dominated by men. ABET has developed comprehensive guidance which it hopes will boost the role women play in STEM education and professions, including in AI.

Sponsored Article

Green Research Projects launched by UAE University

UAE University staff

In support of both national and global initiatives to address climate change, the United Arab Emirates University launched the ‘Green Research Projects’, a programme designed to finance and bolster research endeavours focused on sustainability and climate change.

Sponsored Article

UAE University launches strategic COP28 research topics

UAE University staff

In support of national and global efforts to find innovative solutions to the challenges of climate change and within the UAE University’s roadmap toward COP28 and beyond, the university has aligned its research priorities with the UAE’s (COP28) historic consensus.

Sponsored Article

University of the Free State – Realising a vision of excellence

University of the Free State staff

The University of the Free State in South Africa has excelled over recent years as a research-led, student-centred and regionally engaged university that contributes to development and social justice through the production of globally competitive graduates and knowledge.

Sponsored Article

Commitment, growth and shared lessons in African HE

Ashesi University staff

The Education Collaborative, an initiative started by Ashesi University in Ghana in partnership with the Mastercard Foundation, is one of Africa’s biggest platforms of higher education stakeholders. Since 2017, the Collaborative has led a new model for collaboration in African higher education that is helping to grow the strength of the ecosystem.