Cyber security is improving in many areas, but phishing is still a big problem for the further and higher education sectors, partly because it is too easy for criminals to send emails pretending to be from a university or college.
While part of the solution lies in security awareness training for users, adopting anti-spoofing solutions is increasingly important, too.
Phishing attacks across all sectors have been a particular challenge since COVID-19 hit, but this is nothing new for the education sector. According to Jisc’s 2019 cyber security posture survey (pdf), phishing/social engineering and procedural mistakes are by some distance the top threats to UK colleges and universities.
This is backed up by findings from the 2019 Cyber Security Breaches Survey (pdf), run by the Department for Digital, Culture, Media and Sport with businesses and charities. The research suggests attacks have become increasingly sophisticated and can no longer be tackled simply through raising awareness.
This is why one of the main areas of focus for the National Cyber Security Centre (NCSC), which is committed to making the UK the safest place to live and work online, is to encourage the implementation of strong email anti-spoofing controls.
Implementing anti-spoofing controls, such as sender framework policy (SPF), DomainKeys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC), helps other organisations deal with fake emails purporting to have originated from a .ac.uk domain. Basically, organisations that are part of these global email monitoring systems will reject emails that do not appear to be genuine.
Advice on these solutions is included in the NCSC’s guidance to help organisations defend against phishing attacks.
Though many universities and colleges will have sender framework policy (SPF) configured, this is not enough on its own and the NCSC advises working towards a strong DMARC policy.
The NCSC provides advice on strengthening email policies and is now offering a free online tool, Mail Check, to universities and colleges. It has done this already for central and local government, with 80% now actively using DMARC. The higher and further education sectors are a long way behind that, but there has been a fantastic initial response over the last couple of months, so I am hoping to see the numbers rise.
By implementing the tools and policies we recommend, universities and colleges will be protecting staff, students, partner organisations – not to their mention data and reputations - from cyber attacks that use their domains.
For more information on the Mail Check service, watch the video, take a look at the NCSC online guidance, or sign up for an account. You can contact the Mail Check team at email@example.com.
For more about cyber security in the education and research sector, sign up for free to attend the Jisc security conference (3-5 November 2020). This year it will focus on ‘building a cyber aware culture together’ and the programme has been expanded to include sessions for all staff members - from network and security specialists, to teaching and learning practitioners. Find out more about how Jisc can help you with cyber security.