Data breaches at British universities have doubled in the past two years, the Times reports.
There were 1,152 incidents in 2016–17, with criminals thought to be targeting top universities and stealing research into defence technologies (including missiles and stealth fabric), alternative fuels, batteries and medical advances.
A significant proportion of the attacks used ransomware and phishing emails.
Nation states behind the attacks?
It’s not unusual for cyber criminals to steal data – it’s often their primary motive – but it’s rare for them to target intellectual property. In most cases, criminals steal personal information, as there are plenty of people on the dark web willing to buy that data to spam people or hack them.
Industrial research has a much more limited appeal, and the Times cites several senior university staff who believe that nation states were behind the hacks. One institution said it had faced between 1,000 and 10,000 cyber attacks in the past year, with most traced to Russia, China and other parts of the Far East.
Carsten Maple, director of cyber security research at Warwick University, said universities need to improve their defences urgently.
“Universities drive forward a lot of the research and development in the UK. Intellectual property takes years of know-how and costs a lot. […] Certainly somebody might attack a university and then provide that information to a nation state.”
Maple added that criminals could make “a very good business case” for hacking universities because of the low costs incurred and their poor digital defences.
Dr Anton Grashion, head of security practice at Cylance, agreed, telling the BBC that the open networks many universities run make them a “tempting and easily accessible” target.
He added: “It’s no surprise that universities are suffering from an increase in security breaches. Their network environments are some of the most challenging networks to manage, with usually smaller security and staffing budgets.”
Mitigating the risk
Universities are not the only institutions that struggle to put enough funding into cyber security. Fortunately, there are some relatively low-cost solutions that can drastically improve any organisation’s cyber security posture.
Most of the attacks on universities last year used phishing or ransomware (which is often delivered through phishing). These attacks are only effective if the recipients are not prepared. Phishing relies on people being tricked into believing a malicious communication is genuine, and ransomware relies on people not having backups of their data.
If an organisation can get its staff to avoid these pitfalls, it can mitigate one of the biggest security issues. You can begin to do that with our Phishing and Ransomware – Human patch e-learning course.
This course provides an overview of the threats organisations face, and is ideal for introducing employees to their security obligations. It explains what phishing and ransomware are, the consequences of successful attacks and how you can stop them.