Higher education institutions (HEIs) need to take steps to tighten access of their network infrastructure as well as caution users to be more vigilant in protecting their data and privacy when engaging in online and distance learning.
Large-scale online learning was implemented in a rushed manner in such institutions in the country due to the sudden disruption of traditional in-classroom activities by the Covid-19 pandemic, leaving campus networks open to vulnerabilities.
While digital and online platforms, as well as software and applications, provide the necessary means and convenience for distance teaching and learning to take place, there are fears over cyber threats.
According to Associate Professor Dr Nurhizam Safie Mohd Satar from Universiti Kebangsaan Malaysia, much of the risk in adopting technology quickly could come at the cost of users — students, lecturers or teachers.
"The exposure of confidential or sensitive information is the most common concern for education institutions. Higher education institutions use data for many reasons — from student admissions, general operations and human resources to online learning purposes," he said.
"To understand what is at stake, at the most minimum, malicious entities may access a student's, lecturer's or teacher's contact information, human resource data, financial and medical records, and then use them to contact, extort and threaten their victims."
Chief technology officer of the Cyber Range Academy in Mersing Polytechnic Tajul Azhar Mohd Tajul Ariffin said by moving from traditional education to online education, "we are opening the floodgates to cyber-attacks".
"Another form of attack that may occur is the Advanced Persistent Threat (APT). It can come from groups or individuals. The attackers usually plan for months or years to find a valuable piece of information. They aim for large enterprises or government entities," he shared.
As such, Tajul Azhar said there was an urgency in securing networks and educating users among the institutions.
Nurhizam who agrees with Tajul Azhar's opinion said: "Once universities have settled into the new normal, they should look to reinstitute what privacy and security controls they may have temporarily set aside when pivoting to online learning.
"This is especially true for the most sensitive university IT systems, such as the payroll or accounting database, as well as student information and human resource systems. Moreover, universities must train their students, lecturers and other stakeholders on how to identify online scams and phishing," he said.
CyberSecurity Malaysia said that as people worked-from-home the number of internet use and traffic increased significantly.
This translates to big opportunities and an advantage for cybercriminals as the public and organisations communicate and share information online.
CyberSecurity Malaysia chief executive officer Datuk Dr Amirudin Abdul Wahab said security concerns for the e-learning system at HEIs could be defined in different ways, such as authentication, availability, integrity and confidentiality.
To ensure their networks are secured for users for online learning, Amirudin said HEIs must update their security policy, procedure and guideline, as well as keep the users informed.
"The biggest vulnerability on every network is the person using the keyboard. Training users to avoid social engineering attacks is the first step toward a more secure environment. These institutes should conduct regular cyber safety awareness programmes for their employees and students."
He advised institutions to invest in licensed and trusted video teleconference software and platforms, as well as come out with a list of trusted online learning applications to be used by all.
"They should monitor online meeting/learning sessions and block unauthorised participants. Do not share links or the session's ID with other people," said Amirudin.
He said representatives from every campus group — from administration and facilities to communications and IT — should meet up, to analyse potential risks and create policies to address them.
If there is a cyber incident or threat, HEIs can contact the Cyber999 Emergency Help Centre via phone at 1-300-88-2999/019 2665 850 or email firstname.lastname@example.org.