Universities are a target for both criminal hackers and state actors because of their intellectual property, sensitive contact details and early access to potential political or security figures.
Loading
Cyber security firm Proofpoint has analysed the top 20 Australian universities to see which ones have adopted cyber security protocols that automatically detect and block emails mimicking their official domain.
Nine of the universities appear to have no protection in place against cyber criminals impersonating their domain, meaning people within the organisation are getting no warning when a fraudulent email is sent to them.
Of the 11 who have a detection feature in place, only two have automatic blocking systems to ensure people don’t receive the fraudulent emails.
Proofpoint’s Australia and New Zealand vice president Crispin Kerr said universities were a common target for cyber criminals who know they can be the gateway to sensitive information related to staff, students and alumni.
He said all universities should have a Domain-based Message Authentication, Reporting & Conformance (DMARC) at the very least, but this should also include an automatic blocking feature.
“Email phishing is the most common vector for security compromises across all industries and students and universities are especially vulnerable,” he said.
“Cyber criminals disguise emails as messages from the university IT department, administration, a campus group, or student loan providers to effectively lure students and staff.
“Email authentication protocols like DMARC are the best way to shore up email fraud defences and protect staff, students and alumni and we would advise all universities across Australia to ensure that they have a DMARC protocol in place to protect those within their networks.”
While the universities may have other cyber security defences in place, DMARC is now considered email security best practice.
Loading
Jocelinn Kang, technical Specialist at the Australian Strategic Policy Institute, said not actively filtering fraudulent emails and implementing DMARC records leaves universities and their external contacts vulnerable to email fraud and phishing.
“On the one hand a university not filtering for fraudulent emails leaves their users vulnerable to impersonation attacks and on the other a university without a DMARC record has no way to provide trust to its email recipients,” she said.
“Both of these should concern the university as this can affect their digital reputation.”
Proofpoint last year analysed all 14 federal government departments’ domains, finding only two had fully implemented proactive blocking measures.
Asked about the rate of DMARC uptake within the federal government, cyber security agency the Australian Signals Directorate said about 93.4 per cent of department domains have some form of DMARC protection, “although many do not, as yet, have a reject policy configured”.
“DMARC is one of a variety of controls that when used together is a highly effective countermeasure for preventing phishing attacks where the attacker attempts to fully impersonate the sending email domain,” the ASD told Senate estimates in response to a question on notice.
Anthony is foreign affairs and national security correspondent for The Sydney Morning Herald and The Age.
Most Viewed in Politics
Loading
