HEPI and Jisc have today jointly published How safe is your data? Cyber-security in higher education (HEPI Policy Note 12).
The paper reveals:
- under penetration testing (ethical hacking) using spear phishing, there is a 100 per cent track record of gaining access to higher education institutions’ high-value data within two hours;
- 173 higher education providers engaged with Jisc’s Computer Security Incident Response Team in 2018 (a 12 per cent increase); and
- during 2018, there were more than 1,000 Distributed Denial of Service (DDoS) attacks detected at 241 different UK education and research institutions.
The paper highlights areas of concern, pinpoints the sources of cyber attacks and proposes specific actions universities should take to tackle the issue, including the adoption of a new British Standard on cyber risk and resilience.
Dr John Chapman, Head of Jisc’s Security Operations Centre and the author of the report, said:
Cyber attacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat.
While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment.
To avert a potentially disastrous data breach, or network outage, it is critical that all university leaders know what action to take to build robust defences.
Nick Hillman, Director of the Higher Education Policy Institute, said:
Universities hold masses of data on sensitive research, on the inventions of the future and on their staff and students, but some of it is not properly secured.
The two main functions of universities are to teach and to research. Students like having their personal data used to improve teaching and learning. But this support is conditional and is unlikely to survive a really serious data breach. Meanwhile, future UK economic growth is highly dependent on university research. This provides valuable information that a few unscrupulous foreign governments are keen to access.
Despite the challenges, cyber security is an area where we know how to make a difference, especially when there is leadership from the top. University managers and governors need to address cyber-security issues, including through the new British Standard on Cyber risk and resilience. Meanwhile, regulators need to consider imposing minimum cyber-security and network requirements to keep students and staff safe.
Professor David Maguire, Chair of Jisc and Vice-Chancellor of the University of Greenwich, said:
Universities are absolutely reliant on connectivity to conduct almost all their functions, from administration and finance to teaching and research. These activities accrue huge amount of data; this places a burden of responsibility on institutions, which must ensure the safety of online systems and the data held within them.
Developing strong cyber-security policies is vital not only to protect data, but also to preserve the reputation of our university sector. The HEPI / Jisc paper will help to draw higher education leaders’ attention to this important aspect of their work.
NB: It’s important to note that Jisc’s penetration testing service does not hack universities, or share any information regarding the scope or results of testing with anyone other than the commissioning organisation.
One of the services offered as part of the agreed scope-of-work is to try and gain credentials via spear phishing. This occurs in a very limited number of engagements, but in cases where spear phishing has been carried out, it has proved very successful as a means of acquiring high-value credentials, which could provide access to high-value data. Individual institutions are always informed in detail what the pen testers did, what they discovered and receive suggestions to help remediate.
In the paper, Jisc has shared its experience of using spear phishing as part of a commissioned engagement as a means of highlighting that the threat from this activity is very high.
Notes for Editors
- Jisc is a not-for-profit organisation providing the UK’s national research and education network, Janet, to which all universities and research centres are connected. It also supplies other technology solutions for its further and higher education members. Jisc is funded by the UK higher and further education and research funding bodies and member institutions. Jisc’s vision is for the UK to be the most digitally advanced education and research nation in the world. For further information, see www.jisc.ac.uk.
- The Higher Education Policy Institute (HEPI) was established in 2002 to influence the higher education debate with evidence. We are UK-wide, independent and non-partisan. We are funded by organisations and universities that wish to see a vibrant higher education debate as well as through our own events.