More than 50 universities in the UK have had their lack of cyber defences exposed, with security testers breaching their systems in under two hours.
The tests were conducted by Jisc, the agency that provides Internet services to the UK’s universities and research centres. The organisation’s penetration testers were successful in every attempt, accessing personal data of students and staff, finance systems and research networks.
Universities vulnerable to spear phishing
Jisc’s report on the tests revealed that the ethical hackers’ most effective method was spear phishing.
These are highly targeted scam emails that are sent to senior personnel in an organisation. The hackers claim to be a trusted source, such as a colleague or a third party, and attempt to lure the victim into clicking a link or downloading an attachment that contains malware.
John Chapman, the head of Jisc’s security operations centre, warned that the vulnerabilities could be a sign of an impending “disastrous data breach or network outage”.
He added: “We are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment”.
“Cyber attacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat.”
It’s not hard to see why Chapman would call these findings a disaster. The education sector is one of the most highly targeted by cyber criminals, with a recent freedom of information request revealing that there were more than 700 data breaches at UK schools and academies in 2018.
Meanwhile, the Times reported last year that there were 1,152 data breaches at UK universities in 2016–17, with many attacks geared towards stealing financial information and intellectual property.
Burden of responsibility
David Maguire, who chairs Jisc, says that universities “accrue huge amounts of data”, which “places a burden of responsibility on institutions, which must ensure the safety of online systems”.
Carsten Maple, the director of cyber security research at Warwick University, agrees that universities need to improve their defences urgently.
“Universities drive forward a lot of the research and development in the UK. Intellectual property takes years of know-how and costs a lot. […] Certainly somebody might attack a university and then provide that information to a nation state.”
Professor Maple added that criminals could make “a very good business case” for hacking universities because of the low costs incurred and their poor digital defences.
Dr Anton Grashion, the head of security practice at Cylance, concurs, telling the BBC that the open networks many universities run make them a “tempting and easily accessible” target.
He added: “It’s no surprise that universities are suffering from an increase in security breaches. Their network environments are some of the most challenging networks to manage, with usually smaller security and staffing budgets.”
Reducing cyber attacks through staff training
As the Jisc project demonstrates, cyber attacks are often caused by human error. Simple training can substantially reduce this risk. Our e-learning is a straightforward and cost-effective way to quickly train all staff and students in spotting threats.
Ethical hacking services
Test your defences with our penetration testing services. By simulating an attack, we can detect your vulnerabilities and work with you to protect your valuable data and research.