Cyber attacks on universities can be devastating, with wide-ranging effects for staff and students, data and systems, finances and resource. And the inevitable headlines bring with them potential for reputational damage, too.
It’s important, though, to keep a balanced perspective: the sector is not targeted any more or less than others, but the hard reality is that universities which have not yet become a target can expect an attack at some point and must be ready for that.
To help sector leaders better understand the scale of the threat and the potential fallout from cyber attacks, Jisc commissioned a cyber security incident impact report. Compiled over the summer following interviews with 12 universities and four further education providers affected by cyber attacks, it also includes stats from Jisc’s 2020 cyber security posture survey.
Encouragingly, these figures clearly show an improving picture of security across the sector. For example, most HE respondents (82 per cent) indicate that cyber security is a priority within their organisation and more are gaining security certifications, which will help protect against common threats.
Particularly impressive is that about 80 per cent of universities provide mandatory security awareness training for staff, although we’d like to see the number that insist students take a course (eight per cent) to increase.
Alongside solutions including multi-factor authentication, this is important because human error – such as falling victim to phishing scams – is a common factor in cyber attacks.
The scale of the threat
Indeed, the survey shows that phishing remains the top threat, with ransomware ranked second. One university that was targeted by this type of attack was left with only limited systems available at the start of the 2020 academic year, while another was forced to cancel exams and its clearing hotline was disrupted.
Problems for the sector were serious enough to prompt the National Cyber Security Centre to issue an alert for academia and Jisc’s computer security incident response team Janet CSIRT was flat out fulfilling its role to provide support and advice to affected members.
Over the past few years, that team has handled between 5,000 and 6,000 incidents and queries a year and is noticing that the variety of attack methods is expanding. State-sponsored actors, criminal gangs, disgruntled students, and opportunists are all problematic.
Attackers are acting smarter, too, conducting reconnaissance that can lead to highly refined crimes reflecting staff structure, processes and systems. Universities that publish staff organograms on their websites, for example, should carefully consider the risks.
Criminal objectives include scamming individuals for money, accessing systems to defraud payroll, demanding ransom payments, identity theft, disruptive activity, and attempts to steal high value research and intellectual property.
Effects of Covid-19
Because of the shift to remote learning and working, data is increasingly held on devices outside campuses and protecting that information, wherever it exists, has extended existing security challenges and staff workload. Posture survey data indicates projects to introduce multi-factor authentication and virtual private network roll outs have been brought forward.
The type of attacks has changed since March, too: cyber criminals are flexible and respond quickly to exploit social or economic factors, including Covid-19, and there are many instances of phishing scams taking advantage of the fear around the virus.
Universities responding to the posture survey estimate that cyber attacks over the last year cost less than £100,000, with most losses under £50,000. However, 36 per cent do not know the actual cost, so we suspect this is simply not being captured.
Staff time is recorded as the biggest impact and can certainly be very costly, especially if external specialists are brought in, with daily costs upwards of £1,200.
In response to a 2019 data breach, one university deployed a response team of 15 staff for three weeks and a further five for three more weeks, equating to £65,000 worth of resource plus significant legal costs.
Meanwhile, the loss of data can attract hefty fines from the Information Commissioner’s Office; a six figure fine has already been imposed on one education provider.
No room for complacency
Working alone, IT teams cannot hope to protect their entire organisations. Building robust defences requires strategic investment in stringent technical controls, expertise and security awareness training for all users.
Senior leaders at all universities must take responsibility for security because, although we acknowledge the upward trend in good practice, there’s absolutely no room for complacency. Our report should help broaden their awareness of cyber risk and also offers advice on how to improve defences and shorten recovery times.