Blog post by Arcanum Cyber Security
Our team has been looking at cyber security issues in the Higher education sector for some time, and over the last couple of years we have published a number of pieces, detailing some of that research into attacks on US universities between 2002 and 2017.
In those pieces, we commented that we thought the number of reported attacks on UK universities was going to increase dramatically. Figures just published show that we were right and that over the last year there have been around 1,000 cyber-attacks on UK universities alone, many being attacked on more than one occasion¹.
As we have previously said, Higher Education is one of the top 5 sectors to be targeted consistently² and whilst most breaches are crime related, other threat actors are also highly active in this area. The most common are malicious insiders aiming to cause mischief, hacktivists with a political message to pursue, and novice hackers out to make a name for themselves. There have also been notable occurrences of industrial espionage by state sponsored attackers. Not surprising, given the wealth of cutting-edge technology research data held by many universities.
It was obvious from our early research that cyber security within the education sector was not being taken as seriously as it should have been. It seems that situation hasn’t changed, and researchers employed by JISC, the Higher Education sector’s network and technology services provider, have proved that current cyber security measures are inherently insecure since, on average, it only took them 2 hours to access university networks and extract high value information¹.
Recently, the Information Commissioner’s Office (ICO) published its own assessment of the information security at UK universities. The findings state that only a shocking 50% of the sample took steps in preparation for GDPR. This suggests incompetence of universities; later resulting in fatal consequences from cyber-attacks, having sensitive data accessed by unauthorised personnel³.
In May 2017, JISC published a blog titled “A year to get your act together: how universities and colleges should be preparing for new data regulations” ⁴. It seems that the universities didn’t listen to some very good advice. Perhaps they should listen now as taken together, all the evidence suggests that there is an institutional failure to address cyber security across the Higher Educational sector, leading to the conclusion that there will be further major breaches in the UK in the near future.
Arcanum has been providing expert security advice for over 10 years and is one of only 14 consultancies certified by the National Cyber Security Centre (NCSC) for cyber Risk Assessment and Risk Management. With NCSC certified consultants on hand, we can tailor our service to your business needs. Our client base is across many sectors, ranging from government and Defence Industry, through Critical National Infrastructure and Private Sector multinationals and SMEs, all the way to the 3rd Sector.
If you are looking to improve your information security, please get in touch to organise a call or meeting. One of our NCSC certified consultants would be delighted to guide you through the measures to put in place to help secure your university.
Please give us a call 01558 669140 or email admin@arcanum-cyber.com.
¹https://www.bbc.co.uk/news/education-47805451
²https://ico.org.uk/media/2614196/20190124-information-risk-review-report-higher-education-sectorpdf.pdf
³https://ico.org.uk/media/2614196/20190124-information-risk-review-report-higher-education-sectorpdf.pdf
⁴https://www.jisc.ac.uk/blog/a-year-to-get-your-act-together-how-universities-and-colleges-should-be-preparing-for-new-data-regulations