With huge datasets and highly sensitive and valuable research information, further and higher education institutions are an increasingly attractive target for criminal cyber activity.
Indeed, there have been several high-profile phishing attacks this year against our sector, including at Lakes College.
Why phishing is a major concern
One of the biggest cyber security threats to UK colleges and universities is phishing. These malicious emails, and the fake websites recipients are encouraged to click on to, are becoming more and more sophisticated and, therefore, difficult to identify.
Organised criminals at home and abroad are using phishing attacks in the hope that, by harvesting the username and password of individuals, they can steal money, or access sensitive data for industrial espionage or political gain.
When news of such a breach leaks out, the financial and reputational fall-out cannot be underestimated.
We know that phishing is a major concern for members; it has been named as one of the top three threats in all three of our cyber security posture surveys (2017-2019). To help members keep abreast of this evolving crime, we gather intelligence from various sources, which allows us to spot trends that we can share with the sector.
For example, during 2018, we noticed phishing attacks becoming more sophisticated and better targeted towards the education sector.
Around the beginning of term, particularly at the start of the academic year, there is an increase in student grant fraud. This is where students are sent phishing emails purporting to offer free grants or requesting bank details so that loans can be “paid”.
Examples of common attacks
Spear phishing attacks, where specific individuals are targeted with requests for information, are also more common. One example is ‘CEO fraud,’ where criminals send urgent requests via email to finance departments, impersonating senior members of staff in an attempt to trick recipients into transferring funds into the fraudster’s bank account. Jisc’s chief executive and finance department have been attacked in this way and our security operations centre is aware of similar attempts on education institutions.
In one case, fraudsters used a senior staff member’s name via a Gmail account to try and convince a more junior staff member to purchase a gift voucher on their behalf. The fraudster stated the voucher was an urgent birthday present and cited an all-day meeting as the reason they were unable to buy themselves. Images of the voucher, including the PIN code, were requested too. In this instance, the spelling and grammar was noticeably poor, so the email was recognisable as a fraud attempt.
Another phishing email asked the recipient to review an attached document, which contained a link to ‘unlock’ the document and led to a web page that asked the victim to enter their log-in details.
In both these cases, the criminal used the name of senior staff and sent phishing emails to people who worked closely with them. They were easily able to identify the staff because the universities’ departmental structures were published on their websites.
Making sure students and staff are informed
It’s probably true that awareness of phishing has grown over the past few years, but it does not follow that everyone in colleges or universities will be able to spot a suspicious email, a dubious link or a spoof website. A simulated phishing campaign will serve to establish a benchmark and to raise awareness, safely giving users an experience of what a phishing attack might look like and the confidence and skills to spot any future suspicious emails.
“Six months after we’d done that training, we were attacked for real, but only two people fell for it. That’s compared with a third of the entire staff the first time round.”
In addition, one of the best ways to minimise human error is a rolling programme of security awareness training.
We advocate compulsory training for all students and staff and the sector has begun moving in this direction. Our first cyber security posture survey in 2017 showed that 48% of universities and 41% of colleges had mandatory training in place for some or all staff, which rose to 57% and 55% respectively in 2018. Although this year’s figure for HE is now an impressive 81%, the number of FE organisations with compulsory staff training has remained static at 55%.
Far fewer organisations insist on security training for students, however. In 2017, 10% of both higher and further education said this training was mandatory for students. In 2018, this dropped to only 3% of universities, but there was an increase, to 31%, in the figure from colleges. This year, 8% of HE insist on all or certain students taking training and there has been a drop to 24% of FE providers.
Although awareness training is a helpful defence against phishing campaigns, it won’t solve the problem by itself. Some phishing emails are so sophisticated that they are almost impossible to distinguish from genuine mail, so it’s essential to also put in place technical solutions. The NCSC has some detailed guidance on the type of controls to choose. These include:
- DMARC, SPF and DKIM - a method of preventing phishers from spoofing your domain
- Reducing publicly available information about staff and students that could be used to target them
- Implementing your email provider’s filtering service
- Using multi-factor authentication – requiring an addition safeguard to a username and password to log on to key systems will reduce the risk of a threat actor accessing a sensitive system
Cyber security is the responsibility of all individuals, with every user making decisions about how they access and store their own data and how they behave when interacting with computer systems and networks. This is best achieved when there is a culture throughout the organisation that supports robust cyber security.
So, it is critical that university and college leaders consider whether their cyber protection governance is sufficiently robust. Organisations that do not adequately protect themselves risk the loss or exposure of personal student and staff data and commercial, institutional and research data that are valuable to cyber criminals operating domestically and internationally.
The governing body and executives must provide the leadership that best ensures staff, students and researchers can protect themselves, the institution and their stakeholders from the consequences of accidental information security breaches and malicious cyber attacks including phishing.
- A new British Standard, BS31111:2018, has been developed to help governing bodies and executive management better understand the risks associated with IT activities and support decision making that ensures good cyber resilience
- See the National Cyber Security Centre's advice on protecting your organisation
- Find out more about our cyber security services and the Jisc security conference 2019