A team of hackers were able to obtain “highly-valued” data in under two hours during a test of British universities’ cyber defences, a new report has found.
Ethical hackers from Jisc, a Government-funded agency that provides services to the UK’s universities and research centres, had a 100% success track record in getting through their cyber defences.
The report, published jointly with the Higher Education Policy Institute (HEPI), says universities are not doing enough to protect themselves against cyber attackers and urges them to take immediate action against such threats.
The report also warned that phishing attacks against students are becoming “more sophisticated” and have increased within UK institutions.
Among such attacks are scams which falsely offer free grants to students or ask them to update their bank details so that they can repay their student loans.
The report added that phishing attacks where emails appear to be sent from a trusted source in order to convince a victim into clicking on a link or downloading a file, are becoming increasingly common.
Dr. John Chapman, head of Jisc’s security management and author of the report, warned that it was “critical” for universities to build robust defences in order to prevent a “potentially disastrous” data breach, or even a network outage.
“Universities can’t afford to stand still in the face of this constantly evolving threat,” he said.
“While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills, and investment.”
According to the report, more than 1,000 were detected at 241 different UK education and research institutions in 2018.
In addition to students being tricked to hand over money, hackers could also turn their attention to universities’ highly valuable research data, the report said.
“Universities hold masses of data on sensitive research, on the inventions of the future and on their staff and students, but some of it is not properly secured,” said Nick Hillman, director of HEPI (which published the report with Jisc).
“The two main functions of universities are to teach and to research. Students like having their personal data used to improve teaching and learning. But this support is conditional and is unlikely to survive a really serious data breach. Meanwhile, future UK economic growth is highly dependent on university research. This provides valuable information that a few unscrupulous foreign governments are keen to access,” he said.
Jisc recommends that universities should set minimum requirements for cybersecurity at UK institutions in order to rectify the problem.
“Universities are absolutely reliant on connectivity to conduct almost all their functions, from administration and finance to teaching and research. These activities accrue huge amounts of data; this places a burden of responsibility on institutions, which must ensure the safety of online systems and the data held within them,” said Professor David Maguire, chair of Jisc and vice-chancellor of the University of Greenwich.
“Developing strong cybersecurity policies is vital, not only to protect data but also to preserve the reputation of our university sector,” he added.