Student working on a computer
Creative Commons attribution information
©DeanDrobot via iStock
All rights reserved

Sector builds cyber security resilience but there’s no room for complacency

Steve Kennett

Despite the many headlines this year highlighting cyber attacks suffered by universities and colleges, it’s important to keep a sense of perspective.  

Our sector is no more or less of a target than any other, but the harsh reality is that those of you who have so far avoided the attention of cyber criminals should expect an attack at some point.  

The question is, are you prepared for that?   

Do you know what threats you might have to deal with? How a cyber attack might affect your organisation? Do you have adequate protection measures in place to minimise risk? Do you have the resource and expertise available to recover quickly when you are hit?  

Our annual cyber security posture survey and everyday dealings with members tell us that the security picture across the education and research sectors is varied1, so if you’re not sure how to answer these questions, then please ask us for help. 

There’s also a new piece of research which may help fill in the gaps. The cyber impact report assesses the effect of cyber attacks on staff, students, researchers, reputation and budget. 

Intended as a means of strengthening senior leaders’ understanding of cyber risk and promoting internal discussion, the report also offers advice on how institutions can improve their defences and shorten recovery times. 

Using information from the posture survey and deep-dive interviews with 12 universities and four FE providers that have been affected by cyber attacks, the report is set against a background of increasing threats.   

The scale of the threat 

Over the past few years, Jisc’s computer security incident response team (Janet Network CSIRT) has handled between 5,000 and 6,000 incidents and queries a year and is noticing how the attack methods are becoming ever more varied.  

State sponsored actors, organised criminal gangs, disgruntled students and opportunists are all problematic. They may be trying to access systems to defraud payroll or demand ransom payments. They could be trying to steal identities or extract high value research and intellectual property – or simply be disruptive. 

Individual students and staff members are victims, too. Amazon and Apple gift card scams are common, while attempts to steal student loans usually spike at the beginning of every academic year. 

One university shared that, in one year, around 200 student and staff members had fallen for voucher scams resulting in hundreds of pounds lost for each of them (£50,000 - £100,000 collectively) – and this was only those they were aware of. 

According to the 2020 posture survey, phishing/social engineering is still the top threat, with ransomware/malware ranked second – and for good reason. 

During August 2020, there was a spate of ransomware attacks – seven that Jisc is aware of – leading to the National Cyber Security Centre (NCSC) issuing an alert for academia. Successful attacks like these at key times, such as clearing, enrolment or assessment, “would be catastrophic” one university told our report researchers.  

An FES provider suffered an attack on results day in August 2020, resulting in the loss of IT infrastructure, staff and student email and the student portal. The FES provider said: 

“Today has been among the most challenging days in college history.” 

A 2020 ransomware attack affected a university researcher who lost research data. Although it was backed up, days of reformatting effort ensued and a further ten days of high-grade IT support was required to stop the effects spreading to other researchers. 

Attackers are acting smarter, too. Reconnaissance is leading to highly refined crimes, boosting chances of success. Got an organisational chart on your website? You might want to carefully consider the risks. 

The pandemic is also having an impact. With the shift to remote learning and working, data is increasingly held on devices outside institutional premises. Protecting that information, wherever it exists, is an extra challenge and has added to staff workload. The types of attack have changed since March, too, with many instances of phishing scams2 taking advantage of the fear around the virus.  

The financial impact 

Staff time is the biggest reported impact of cyber attacks for both HE and FE and can certainly be expensive, especially if external specialists are brought in to help, with costs upwards of £1,200 per day. 

The targeting of finance teams and senior staff in all organisations is commonplace and regularly successful. While money might be recovered, the effort is significant, and the loss of data can attract hefty fines from the Information Commissioner’s Office (ICO); a six figure fine has already been imposed on one education provider.   

This year, an FES provider described losing £10,000 from payroll via a fraudulent email sent to a vice principal. Another was tricked into paying £10,000 after a hacker investigated and circumnavigated institutional processes. Meanwhile, a university shared details of a phishing-based incident that resulted in three staff members’ salaries being diverted for one month, costing the university around £10,000. 

A university, in response to a 2019 data breach, deployed a response team of 15 staff members for three weeks and a further five for three more weeks equating to £65,000 worth of staff effort plus significant legal costs. Existing projects were delayed because of the breach. 

Reducing risk 

Working alone, IT teams cannot hope to protect their entire organisations. Building robust defences requires strategic investment in technical controls, expertise and security awareness training for all users. 

Senior leaders at all universities must take responsibility for security because, although we acknowledge the upward trend in good practice, there’s absolutely no room for complacency.  

If you are attacked, please immediately inform our computer security incident response team, Janet Network CSIRT. Even if you don’t need our help (included as part of your Jisc membership) information you provide could help others. 

Jisc’s annual Networkshop conference (27-29 April 2021) has more information about the technology and infrastructure to help future-proof your college, university or research centre.​