ORION Higher Education Cybersecurity Report 2021

The importance of cybersecurity in higher education

When the pandemic forced Ontarians to work and learn from home for the majority of 2020-2021, cybersecurity became more crucial than ever. Reliable online access became even more indispensable, and ORION delivered on that need consistently. The pandemic revealed the consequences that arise when people and communities are unable to connect.  

Due to a surge in global cyberattacks, ORION heard from more users than ever who feared for the security and privacy of their data, research and technical operations. In response, ORION directed our focus towards delivering products, services and programs to provide our network users with enhanced threat protections and heightened security measures for connecting through our network. In the past 12 months alone, ORION detected 482 DDoS attacks; 209 of which needed intervention. 

The state of cybersecurity in higher education

Canadian higher education institutions, universities and colleges, are seeking support to address cybersecurity as a top strategic priority. Building the internal and collective capabilities to prevent and prepare for cybersecurity threats are essential to ensuring that valuable personal information, research data and intellectual property is protected. Amid the backdrop of the COVID-19 pandemic, researchers in Ontario and across Canada are on the front lines of innovative testing, therapies and vaccine development, and remote work and learning has proliferated. It is critical at this time, and hereafter, that Canadian colleges and universities are fully equipped to protect these essential strategic efforts. 

In addition to ORION security services and products, there is a foundation of skills and capabilities to bring together in Ontario’s higher education community. Universities and colleges have cybersecurity professionals and/or IT professionals tasked with providing a safe and secure online ecosystem for students, faculty and staff. Many institutions have prioritized cybersecurity and have made significant progress in protecting their networks and online community members but are limited by available funding and resources at the institutional level. Together, the sector has already taken important first steps. A sector-wide approach is vital to ensure that cybersecurity preparedness is effectively implemented across our higher education sector. By sharing critical guidance, best practices and common strategies, we can ensure that colleges and universities of all sizes are equipped to deal with current and emerging cybersecurity threats. 

Together, the sector has already taken important steps. The Ontario Cybersecurity Higher Education Consortium (ON-CHEC) is a consortium of 33 Ontario colleges and universities who, with the support of ORION, have joined together to lead the way for shared cost-effective cybersecurity guidance, advisory programs, and services for Ontario’s higher education cybersecurity needs. 

Data is always the key

Preparedness is impossible without accurate, objective and current-state evaluation information. ORION has developed a standards-based assessment specifically for higher education and based on the CIS Top 20 Critical Security Controls.  

The CIS Top 20 Critical Security Controls are a prioritized set of best practices created to address the most common and harmful cybersecurity threats; and are increasingly becoming industry standard. Participating ON-CHEC members were taken through assessments of their cybersecurity and institutional risk programs. 

Responses were broken down into six institution types and four categories of assessment to align with the previous report card from the 2019 State of Cybersecurity in Higher Education. The results were analyzed to establish anonymized averages for each category along with the institution’s comparison to this average. Our goal is to achieve equity in the cybersecurity capabilities for all institutions. Due to the collaborative nature of cybersecurity across institutions, the vulnerability of one institution affects the whole sector. 

These findings are summarized in our report, “Cybersecurity and Higher Education in Ontario: Protecting the Public, Economic, Provincial and National Security Interests 2021,” and are the basis of our recommendations to government. This report represents input from many of our research, education, and innovation community partners as well as our constituents. 

Trends in Ontario’s post-secondary education cybersecurity:

• Foundational transformation of higher education – With learning options moving to more omni-channel models in combination with greater competition and expectations from students for higher education to adapt to their needs, there are competing priorities. Security can be lost in the fray without a conscious effort to keep it integrated into any technology plans (risk governance, security).  
• Security roadmaps need more focus – IT teams at higher education institutions are challenged to implement a comprehensive cybersecurity approach because of competing priorities, gaps in funding and resource allocation and, especially in universities, the decentralized and independent nature of their constituencies. These challenges create the potential for concerning IT security gaps that could result in vulnerable intellectual property and sensitive information being compromised.  
• Remote learning and working – With the COVID-19 pandemic continuing for two years, it shouldn’t come as a surprise that remote learning and work have risen to the top of higher education institution’s priority list. The implication, however, is that data is no longer sitting behind fortified walls and is exposed. 
• Moving to “the cloud” – Skills, governance and operational models are different for cloud environments with a higher focus on contracts, data governance, third party risk assessments and the way they are supported. COVID-19 accelerated the move to online and cloud-based services, and places institutions at an even higher level of risk. 

Recommendations

1. Establish a common cybersecurity strategy and framework 
   With the support of the Ontario Ministry of Government and Consumer Services and their Cyber Security Expert Panel, empower ON-CHEC to bring together all of Ontario’s universities, colleges and other higher education institutions to establish a common cybersecurity strategy and framework for the higher education sector in Ontario.  
2. Create a targeted investment fund
   Based on the requirements of this sector-wide strategy, put in place a targeted investment fund to assist colleges and universities in upgrading their cybersecurity capabilities, leveraging ON-CHEC’s shared cybersecurity services and community. 
3. Align to and support a national cybersecurity approach
   Leverage existing national cybersecurity initiatives, including both government and higher education sector partners from across Canada, to facilitate a national cybersecurity approach for Canada’s higher education sector. Such a national approach delivers two critical benefits: it maximizes the impact of these collaborative cybersecurity frameworks and approaches, and it unlocks funding opportunities that support ongoing cybersecurity initiatives.  

Working together

We at ORION recognize there are many provincial and national cybersecurity initiatives underway and we’re working together to collaboratively improve the cybersecurity posture for higher education in Ontario and across Canada. This report represents input from many of our research, education and innovation community partners as well as our constituents and we thank them for their contributions.