Editor’s Note: Today’s post is by Susie Winter. Susie co-chairs the Scholarly Networks Security Initiative Communications Working Group and is VP, External Communications at Springer Nature. 

Last year, I shared findings from a quantitative survey the Scholarly Networks Security Initiative (SNSI) commissioned from Shift Learning to better assess librarians’ awareness of the threat posed by cybercrime and whether they knew what steps to take if their network had been compromised.

The purpose of this research was twofold: First, with librarians often being on the front line of cyberattacks and their networks perceived as back doors to data and personal information held by universities or academic institutions, we were keen to understand better what their main concerns were. Second, given the connections between cybercrime, network security, and piracy, we were interested to have greater insight into their views of Sci-Hub.

Our research found that librarians had limited confidence on the topic of cybersecurity; their main concerns were personal student data loss and the reputational threats posed to their institutions by cyberattack. Put simply, they were concerned with ensuring that their colleagues’, students’ and institution’s data were safe. Attitudes to Sci-Hub and the threat it poses to both of these were more complex, with many unaware of the cybersecurity threat the site poses. The full findings can be found on the SNSI website.

When considering network security and how to deal with both threats and the aftermath of breaches, the full burden should not fall on librarians. We needed therefore also to understand the views of those in higher education institutions who have day-to-day responsibility for network security. What are their main concerns when it comes to cybercrime and data security? What are their primary areas of focus when seeking to improve security at their institutions? To what extent are they aware of Sci-Hub and do they see a connection between this pirate site and broader cybersecurity concerns?

This led us to a follow up piece of research, again conducted by Shift Learning, which took the form of eleven in- depth interviews with Chief Information Security Officers (CISOs), Information Security Officers (ISOs), and senior IT staff such as Chief Information Officers (CIOs) or those in senior advisory roles in IT services. Respondents were based in the UK, US, Europe, and Australia. We were interested to know to what extent their views differed from those we had heard from librarians – and to the extent they did, what SNSI could do to support both groups.

The view from CISOs and their teams

Unsurprisingly, cybersecurity was viewed as a serious concern amongst these respondents. A majority rated the seriousness of the risk as between 7.5 and 10 on a scale of one to ten. There were multiple reasons why respondents believed universities to be a high-risk sector, one being that the sector previously didn’t appreciate it could be a target, due to its non-profit orientation. A further reason identified was that even though higher education had been an early adopter of the internet, it meant that current practices across the institution weren’t always up to date. The conflict in Ukraine was also cited as a concern, most likely due to the concerns regarding Russian activities. One CISO described the level of threat as an ‘arms race’, with security measures trying to keep pace with the hackers and bad actors.

When asked about the increase in attacks on research institutions, CISOs and ISOs believed this could be because intellectual property is highly valuable. The types of attacks discussed included nation states carrying out attacks to obtain unpublished research data, particularly on COVID-19 research and viral and genetic research. Interestingly, student records and medical records were also seen to be at risk.

Main findings

• Human error and lack of awareness around cybersecurity were concerns for CISOs and a main cause of data security breaches.
• CISOs’ primary concern was protecting the network as security breaches, including ransomware attacks, can cause prolonged business disruption and put at risk the protection of personal data, including HR, medical, and financial information. One respondent cited an attack on a German university department that disabled the network for 36 hours.
• Respondents expressed concern about politically motivated cybercrime sponsored by nation states targeting sensitive research data, and reported incidents in which COVID-19 research was targeted.
• There is a lack of collaboration, leading to a disconnect, between the university, IT security, and library IT services which was identified as a potential weak link in the fight against cyberattacks.

With regard to Sci-Hub specifically, it was viewed as lower risk by the respondents mainly because of the misperception that the file format (PDF) deployed by the illegal site is one not typically associated with malware. A further reason for this may be found in one area of increased investment for CISOs: improving security at their institutions with multi-factor authentication. This is one of the two lines of defense, along with geo-blocking, that respondents identified to limit the activities of Sci-Hub and other organizations that threaten the academic record. One respondent did point to Sci-Hub’s encouragement of credential sharing, which is itself a breach of their privacy policy, as a source of concern.

How SNSI, CISOs and librarians can work together

From the survey we have identified three areas in which we believe we can help improve the security of university networks by working together, for the benefit of all:

1. CISOs considered basic cyber-hygiene tools, such as multi-factor authentication (MFA), to be a key line of defense in preventing cybercriminals from accessing university networks. By joining forces to promote good cyber hygiene practices we can help users understand their importance.
2. By sharing information and intelligence SNSI can help increase understanding of how pirate sites such as Sci-Hub operate and the risk they pose to data security, thereby neutralizing a potential threat.
3. We need to continue to raise awareness of the very real threats of cyberattack to academic institutions, and to the integrity of their staff and students’ personal data.

We are very grateful to all the respondents for these insights and look forward to working together in our shared mission to solve cyber-challenges that are threatening the integrity of the scientific record, scholarly systems and the safety of personal data.