Comprehensive cybersecurity for smart campuses: Securing email and collaboration tools, computer labs, and shared devices

In early 2025, unauthorized access to an Australian university’s single sign-on (SSO) system exposed the personal data of around 10,000 students. This followed an earlier breach between mid‑2023 and March 2024, in which cybercriminals stole a staggering 580 TB of data through Microsoft Office 365 and Dell Isilon storage platforms.

With campuses operating like large, distributed enterprises, the education sector faces a growing wave of cyberattacks targeting email platforms, collaboration tools, and shared infrastructure. Security information and event management (SIEM) and identity and access management (IAM) solutions give CISOs the 360° visibility and access control needed to detect threats early, enforce policy consistently, and safeguard sensitive academic and research data.

Why are smart campus high value targets

• Enterprise-scale operations: Smart campuses function like large enterprises—with multiple networks, departments, and facilities—but with far more diverse and less controlled user groups.
• Valuable data assets: These institutions store sensitive PII, financial records, and high-value research data, making them attractive to cybercriminals and state-sponsored attackers.
• Interconnected smart infrastructure: Internet of Things (IoT) devices, building automation, and connected labs expand the attack surface, often with limited security hardening.
• Heavy collaboration and cloud use: Dependence on email, LMS platforms, and third-party tools increases exposure to phishing, account takeover, and data leakage.
• Resource and policy gaps: Budget limits and decentralized IT governance lead to inconsistent patching, monitoring, and policy enforcement.
• Constant user turnover: Frequent changes in students, faculty, and contractors create risks from orphaned accounts and weak offboarding processes.

What are the key risk areas to focus on?

The top three risk areas to focus on in a smart campus are physical security and smart campus infrastructure; email and collaboration tools; and computer lab and shared devices.

Physical security and smart campus infrastructure

What are the risks that occur in such areas?

• Unauthorized building access via cloned keycards, stolen credentials, or compromised biometric systems.
• IoT device exploitation in cameras, door controllers, HVAC systems, or smart lighting.
• Surveillance system tampering to hide intruder activity or replace the feed with a false video.
• Access control system breaches allowing attackers to lock/unlock doors remotely.
• Weak integration security between physical systems and the campus network.

How does the attack process works?

1. Reconnaissance
   • An attacker studies the campus layout, identifying entry points and connected devices.
   • Finds exposed IoT devices via Shodan or other scanning tools.
2. Initial compromise
   • Gains access by stealing or cloning a keycard, exploiting an IoT vulnerability, or phishing a facility admin.
3. System exploitation
   • Alters access permissions, disables alarms, or feeds fake CCTV footage.
   • In some cases, an attacker pivots from physical system access into the main campus network.
4. Persistence and evasion
   • Installs backdoors or hidden admin accounts in building control systems.

What are the damages these attacks cause?

• Physical harm and safety risks where intruders gain entry to restricted labs, data centers, or student housing.
• Theft or destruction of high-value equipment or research assets.
• Operational disruption, which involves locking down classrooms, cutting HVAC, or disabling lighting.
• Reputation loss, which includes media coverage, as well as damaged trust among students, faculty, and research partners.
• Failure to protect premises may result in regulatory violations or breaches of contractual obligations.

What is the frequency and ease of attacks?

• Ease: Many IoT and physical access devices still run outdated firmware and default credentials, making them relatively easy to compromise remotely.
• Frequency: Higher education institutions are among the top sectors targeted for IoT attacks.
• Contributing factors: Large, open campuses; combined with high foot traffic, frequent contractor and vendor access, and limited 24/7 security monitoring.

Email and collaboration tools

What are the risks that occur in such areas?

• Phishing and spear-phishing attacks targeting faculty, students, and staff.
• Business email compromise (BEC) scams targeting finance or admin departments.
• Account takeover using stolen credentials to access email, Google Workspace, Microsoft 365, and other digital services.
• Malware or ransomware distribution via shared documents, links, or file uploads.
• Data leakage or misconfiguration in shared drives, class folders, or cloud collaboration platforms.
• Impersonation attacks using spoofed domains to trick students or staff.

How does the attack process work?

1. Initial contact (phishing)
   • An attacker sends a spoofed or deceptive email to a student or faculty member.
   • Often uses urgency, academic context, or impersonation (e.g., assignment deadlines, password resets, or disciplinary action).
2. Credential harvesting or malware execution
   • A victim clicks a link and enters login info into a fake portal, or opens a malicious attachment.
   • An attacker gains access to email or cloud collaboration account.
3. Account compromise and lateral movement
   • An attacker uses the compromised account to send more phishing emails within the university or to external contacts.
   • An attacker may access shared drives, upload malicious content, or escalate privileges.
4. Data theft or financial fraud
   • Sensitive data (e.g., student PII, research files, budget spreadsheets) is exfiltrated.
   • Due to BEC, finance teams may be tricked into wiring tuition refunds or vendor payments to attacker accounts.

What are the damages these attacks cause?

• Data loss or breach of student records, financial info, or academic intellectual property.
• Financial fraud involving tuition payments, grants, or payroll systems.
• Disruption to learning and collaboration including locked files or email outages.
• Reputational damage affecting trust from students, parents, partners, and donors.
• Compliance violations (e.g., FERPA, HIPAA, or the GDPR) resulting in legal or regulatory penalties.

What is the frequency and ease of attacks?

• Check Point reports that education institutions experienced an average of 3,574 weekly attacks in 2024, a 75% year-over-year increase. Of these, 68% were email-based.

Computer labs and shared devices

What are the risks that occur in such areas?

• Credential theft from saved logins, keystroke logging, or browser autofill.
• Session hijacking due to improper logouts or cached credentials.
• USB-based malware injection via portable storage used by multiple users.
• Unauthorized software installation (e.g., keyloggers, proxy tools, cryptominers).
• Lack of endpoint hardening or visibility into user behavior.
• Shared admin or default accounts increase lateral movement potential.

How does the attack process work?

Step 1: Initial access

• The threat actor—whether an external attacker or an insider threat, like a student—physically accesses a lab system.
• Uses a USB device, malicious link, or downloaded file to install a keylogger or backdoor.

Step 2: Credential capture or lateral movement

• Logs admin credentials or reuses session tokens.
• Gains unauthorized access to cloud storage, student portals, or internal systems.

Step 3: Persistence and exploitation

• Creates hidden accounts or modifies the registry for persistent access.
• Uses the compromised system to scan for internal vulnerabilities or spread malware.

What are the damages these attacks cause?

• Data theft of student credentials, grades, research files, or admin access.
• Account takeovers in LMS, email, and cloud platforms.
• Malware propagation across the campus network.
• Service disruption which causes slow systems, lockouts, and corrupted files.
• Reputation damage and potential non-compliance with regulations (FERPA, the GDPR, etc.).
• Resource misuse (e.g., cryptomining) on lab devices.

What is the frequency and ease of attacks?

• Labs often lack advanced endpoint protection.
• Shared devices are rarely hardened or monitored consistently.
• Users rarely follow logout or sanitization best practices.

In the UK alone, 60% of secondary schools—and 91% of universities, in particular—reported at least one breach or attack in 2024.

How does SIEM and IAM work together to prevent such attacks?

Physical security and smart campus infrastructure

How a SIEM solution helps

• Collects logs from IoT gateways, network devices, and physical security systems.
• Correlates events to detect anomalies (e.g., repeated failed logins to building access controllers or sudden device configuration changes).
• Issues real-time alerts for suspicious device communication or abnormal network traffic from smart devices.

How an IAM solution complements

• Enforces multi-factor authentication (MFA) for accounts managing critical IoT or physical security systems.
• Provides delegated administration to ensure only authorized personnel can modify device configurations.

Email and collaboration tools

How a SIEM solution helps

• Monitors Microsoft 365, Google Workspace, and Exchange logs for unusual activities like mass forwarding rules, mailbox permission changes, or multiple failed logins from different geographical locations.
• Detects suspicious file uploads and downloads in Teams or SharePoint, as well as other potential data exfiltration.
• Correlates email-based phishing attempts with endpoint or Active Directory events for full incident context.

How an IAM solution complements

• Enforces least privilege and conditional access for collaboration tools.
• Automates user onboarding and offboarding to remove stale accounts often targeted in phishing.
• Implements MFA and password policies to reduce credential theft success rates.

Computer labs and shared devices

How a SIEM solution helps

• Tracks all logon and logoff events on shared lab systems, including USB device usage.
• Detects abnormal patterns like one account logging into multiple lab machines within a short span of time or large file transfers to external storage.
• Integrates with antivirus and endpoint tools for centralized security monitoring.

How an IAM solution complements

• Enforces time-based or location-based access policies for lab accounts.
• Automates periodic password resets for shared user IDs.
• Provides self-service password reset to reduce password sharing and help desk tickets.
• Delegates granular lab resource permissions to prevent broad admin rights on shared machines.

How does SIEM and IAM work together?

• Unified incident detection and response
  • SIEM detects anomalies (e.g., mass logins in labs, IoT device tampering, unusual email activity).
  • IAM enforces corrective actions like forcing password reset, disabling accounts, or tightening access policies.
• Cross-platform visibility
  • SIEM provides correlation across campus devices, email, and user activities.
  • IAM aligns identity controls with those insights, ensuring attacks can’t escalate due to misconfigured privileges.
• Continuous compliance
  • SIEM generates audit-ready reports for ISO 27001, FERPA, and the GDPR.
  • IAM ensures identity governance aligns with those frameworks by maintaining least privilege access and periodic reviews.

What are the security policies to be followed by CISOs to prevent such attacks?

1. Physical security and smart campus infrastructure security policies

Objective: Secure IoT, physical access systems, and connected facilities from unauthorized access and tampering.

• Zero Trust network segmentation: Place IoT devices, surveillance systems, and building automation controllers on isolated VLANs.
• Strong authentication for device management: Enforce MFA for all IoT admin accounts.
• Regular patch and firmware updates: Establish a quarterly update cycle for smart devices and controllers.
• Access review and privilege limitation: Limit admin access to campus infrastructure systems based on role and job function.
• Continuous monitoring: Use SIEM to detect device configuration changes or unusual communication patterns.

2. Email and collaboration security policies

Objective: Reduce phishing, account compromise, and data exfiltration risks for faculty, staff, and students.

• Mandatory MFA: Apply MFA for all email and collaboration tool logins.
• Anti-phishing and URL protection: Deploy policies in Microsoft 365 or an equivalent that check whether links and attachments are safe.
• Automated offboarding: Immediately revoke access for departing faculty, students, and contractors.
• Least privilege for shared drives and sites: Grant only the minimum necessary access to shared storage, sites, and collaboration tools.
• Threat simulation and training: Conduct quarterly phishing simulation campaigns for awareness.
• Anomalous behavior alerts: Monitor for impossible travel logins, bulk file downloads, or suspicious mailbox rules.

3. Computer labs and shared device security policies

Objective: Prevent misuse, malware injection, and unauthorized data access on public campus endpoints.

• Identity-based access control: Require unique logins for each individual (student and staff) using lab machines.
• Session timeouts: Auto-logoff after inactivity to prevent account misuse.
• USB device control: Restrict or log usage of removable media in labs.
• Disk wiping and profile reset: Automatically clear user profiles and temporary data after each session.
• Endpoint protection integration: Verify that all lab devices run updated antivirus and EDR agents and are reporting to the SIEM solution.
• Scheduled vulnerability scans: Automate monthly scans for outdated software or unpatched vulnerabilities.

4. Overarching CISO security governance policies

• Unified identity governance: Integrate IAM and SIEM solutions to align access controls with threat detection.
• Incident response plan: Maintain and test an incident response plan that includes lab systems, IoT devices, and cloud platforms.
• Compliance alignment: Ensure policies meet FERPA, GDPR, ISO 27001, and NIST standards.
• Privileged access management: Strictly control and audit privileged accounts.
• Regular security audits: Conduct annual third-party security reviews for both IT and OT systems.
• Threat intelligence subscription: Leverage sector-specific threat feeds for early warning.

How is securing the education sector with SIEM and IAM a strategic and financial win?

For the modern education sector, the security challenge extends far beyond protecting networks; it’s about safeguarding the trust of students, faculty, and stakeholders while ensuring uninterrupted learning. Implementing a robust SIEM solution like ManageEngine Log360 alongside an IAM platform like ManageEngine AD360 empowers institutions with real-time threat detection, rapid incident response, and precise access control across diverse digital and physical environments.

The financial benefits are equally compelling. Data breaches in the education sector cost an average of $3.8 million per incident, but the combination of SIEM and IAM can significantly reduce this risk. Additionally, industry studies show effective IAM programs can reduce breach remediation costs by up to $223,000 annually. These savings, combined with reduced downtime from ransomware or account compromise, deliver a measurable return on investment.

In short, integrating SIEM and IAM not only strengthens an institution’s cybersecurity posture but also optimizes operational efficiency allowing educational organizations to protect resources, reduce risk, and channel savings into their core mission of delivering quality education.

Related solutions