Universities in the United Kingdom have a serious cybersecurity problem that needs to be addressed as soon as possible. The problem? It’s incredible easy to break into a university’s network.
A report published by Jisc and the Higher Education Policy Institute (Hepi) reveals that during penetration and ethical hacking tests 100 percent of the 50 universities tested could be breached within two hours.
Once the testers were on the networks they were able to access staff and student information, financial systems and research databases.
The researchers who carried out the tests said that spear-phishing tactics were among the most successful ways to gain access to a university’s network. Spear-phishing is when an attacker sends an email that has been made to look as if it is from a trusted source that contains malware in some form or another.
Author of the report and head of the Jisc security operations centre, Dr John Chapman, says that cyber attacks are becoming increasingly sophisticated and that universities must be able to evolve to face these threats.
“While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cyber security knowledge, skills and investment,” Chapman said.
“To avert a potentially disastrous data breach, or network outage, it is critical that all university leaders know what action to take to build robust defences,” added Chapman.
What strikes us as odd is that UK universities are experiencing cybercrime in one way or another. In 2018 173 higher education providers engaged with the Jisc Computer Security Incident Response Team, and 1 000 distributed denial of service attacks were detected at 241 education and research institutions in the UK in the same year.
What universities need then is guidance according to Hepi director, Nick Hillman.
“Despite the challenges, cyber security is an area where we know how to make a difference, especially when there is leadership from the top. University managers and governors need to address cyber security issues, including through the new British Standard on cyber risk and resilience. Meanwhile, regulators need to consider imposing minimum cyber security and network requirements to keep students and staff safe,” says Hillman.
The fact of the matter is that like companies, universities are reliant on the internet and the connectivity it brings with it. This also means that any and all data at a university must be protected from the nasty folks looking to get their hands on research data or worse, sensitive personal information about staff and students.