Simulated cyber attacks against UK universities found that hackers were able to obtain high value data within two hours. The tests were organized by Jisc, the agency providing internet services to the UK’s universities and research centers.
The hackers were able to access personal data, finance systems and research networks. University research projects have been major hacking targets: during 2018, there were more than 1,000 Distributed Denial of Service (DDoS) attacks detected at 241 different UK education and research institutions
The Higher Education Policy Institute (HEPI) and Jisc jointly published the How safe is your data? Cyber security in higher education paper on April 4.
The paper reveals a 100 per cent track record of hackers gaining access to higher education institutions’ high-value data within two hours during the simulated attacks.
The paper highlights areas of concern, pinpoints the sources of cyber attacks and proposes specific actions universities should take to tackle the issue, including the adoption of a new British Standard on cyber risk and resilience.
Dr John Chapman, head of Jisc’s security operations centre and the author of the report, said cyber attacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat.
“While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cyber security knowledge, skills and investment.
“To avert a potentially disastrous data breach, or network outage, it is critical that all university leaders know what action to take to build robust defences.”
Nick Hillman, director of HEPI, said universities hold masses of data on sensitive research, on the inventions of the future and on their staff and students, but some of it is not properly secured. He added that universities are currently unlikely to survive a really serious data breach.
“Despite the challenges, cyber security is an area where we know how to make a difference, especially when there is leadership from the top. University managers and governors need to address cyber security issues, including through the new British Standard on cyber risk and resilience. Meanwhile, regulators need to consider imposing minimum cyber security and network requirements to keep students and staff safe.”
The simulated attacks revealed that one of the most effective approaches was “spear phishing”, where an email appears to be from someone you know or a trusted source but is really a way of concealing an attack, such as downloading “malware”.
While most reported attacks on UK universities last year were related to phishing and attempts to gain entry for ransomware and malware, overseas states also targeted UK universities to steal intellectual property and attempt to gain technological advantage.
Despite the millions of data breaches reported from multinational companies, the theft or exposure of academic data is not widely publicised. But universities also have valuable and commercially-sensitive research data of interest to organized criminals and some unscrupulous nation states.
There were two such large-scale incidents that affected higher education institutions in 2018. Iranian hackers (linked to a criminal organization called the Mabna Institute) targeted UK universities via the ‘Silent Librarian’ campaign. And Stolen Pencil – a North Korean group – targeted individual academics with emails designed to trick them into downloading a malicious extension to the Chrome web browser.
The HEPI/Jisc paper highlights how a national conversation between those with a vested interest in the protection of universities from cyber attack, including government, should explore further steps to enhance resilience across this critically valuable sector.