A new report into the safety of British Universities may have revealed a huge potential security risk, according to academic support body Jisc (formerly the Joint Information Systems Committee).
The study, published last week, reveals that “more than 1,000 DDoS attacks were detected against 241 different UK education and research institutions”. Jisc went on to say that they “are not confident that all UK higher education providers are equipped with the adequate cybersecurity related knowledge, skills and investment.”
Jisc also claims to have had a “a 100 per cent track record of gaining access to a higher education institution’s high value data within two hours”.
The technique employed was “spear-phishing”, whereby specific people are targeted using carefully crafted (usually email) ruses to trick the individual into entering sensitive information.
The education sector is understandably concerned about its safety, as it is responsible for thousands of students’ personal data. Further research by YouGov and Sophos, has found that 34% of educational establishments place data loss as their greatest cybersecurity concern.
The report also details how “Only 15 per cent of higher education IT and security staff scored their organisation as eight or more out of 10 on a scale where one means ‘Not at all well protected’ and 10 means ‘Very well protected: comprehensive controls in place’”.
Jisc say that among the many reasons for this low figure, principal among them were “a lack of dedicated staff and budgets” as well as “lack of policies, suggesting senior leaders are not taking the issue seriously enough.”
When it comes to cyber-security, UK higher education and research has the advantage of operating on its own bespoke network, known as the ‘Janet’ Network. This has built-in cyber-security measures overseen by Jisc’s Security Operations Centre. However, universities are ultimately responsible for safeguarding their own data.
The report also mentions that “Analysing the timings of these attacks has led Jisc to surmise that many of them are ‘insider’ attacks launched by disgruntled students or staff”.
The paper wanted to “highlight[s] how a national conversation between those with a vested interest in the protection of universities from cyber-attack, including Government, should explore further steps to enhance resilience across this critically valuable sector.”
The education sector experiences the same types of attacks as everyone else. Three of the most common attacks on the education sector are all ‘big hitters’ that are used to steal data, cause damage, and/or extort money:
- Distributed Denial of Service (DDoS): This attack type is meant to wreak havoc on resources. For example, it may lead to a website going down or Cloud applications being adversely impacted. It can also be a rouse to take IT staff on a wild goose chase, trying to resolve the DDoS attack, whilst all along the cyber-attacker is exfiltrating personal data. In the first 6 months of 2018, Jisc found that 225 FE Colleges in the UK were victims of a DDoS attack.
- Ransomware: Ransomware encrypts your files then tells you to pay a ransom to get them back. The massive WannaCry ransomware attack of 2017, which made the headlines when the NHS was adversely affected by it, also impacted many educational establishments. An example was Durham Sixth Form Centre which was infected with ransomware during exam-time, causing havoc.
- Phishing: The cybercriminal “go to” tool is phishing. Phishing is modern day scam – tricking you into opening a malicious attachment or clicking on a spoof link. A new report by Symantec has found that most malware infections begin with a phishing email – or rather a spear phishing email, which targets a victim and is harder to spot. The phishing email will either contain an attachment which can infect your computer with software that steals data and/or login credentials, or it will take you to a site that steals the same.
Education, like all other sectors, is fighting a battle against cybercrime. As the sector opens the school gates to a hyperconnected future, the risks to data and the wider IT infrastructure increase.
Understanding where these risks lie is part of the concerted effort the sector must make to stay cyber-safe.
Being cyber-aware and using security awareness training and simulated phishing campaigns, can go a long way to educating your wider employee base about the risks and how to avoid a cybersecurity incident.