Staff or students often responsible for university and college cyber-attacks

Earlier this year, the FE and HE technology solutions not-for-profit, Jisc, conducted a  survey of its members to find out their attitudes towards cyber security, which found that colleges are over-estimating their ability to guard against cyber attacks.

When asked to assess their perceived level of protection, 43% of colleges scored their organisation eight or more out of ten, while the mean score was 7.1, which was more optimistic than universities’ mean score of 5.9. Their optimism could be due to the lack of security specialists working in the FE sector, leaving colleges in the dark.

Colleges have less in the way of budget allocation and specialist staff than universities, and are far less likely to have achieved the government’s Cyber Essentials standard. On the plus side, 10 times the number of colleges are working towards Cyber Essentials this year, compared to last year (29% compared to 3% in 2017). 

Paul Feldman, Jisc CEO, has warned that a lack of resources and investment meant colleges are not as well defended against cyber attacks as they should be, and colleges still appear to be unrealistic about the risk.

What are the biggest threats?

Lack of awareness and accidental breaches – such as emailing sensitive data to the wrong recipients – are considered by colleges to be the biggest threat to their cyber security, according to the survey.

Ransomware/malware comes in at number two, followed by phishing and social engineering, such as clicking on dodgy email links or being tricked into giving away passwords. 

Colleges are right to be concerned about the risk of human error to cyber safety since duping staff and students is the most common method employed by criminals to infiltrate systems, steal data and commit fraud and other crime.

Phishing attacks and social engineering are become more sophisticated and difficult to spot, so good security training and using a second factor for authentication for users is essential.

Colin Truran, Principal Technology Strategist at Quest Software, said: 

“Universities are required to permit vast numbers of students the ability to connect their devices to the network in order to gain access to all of the digital facilities the university provides. The challenge for universities is to enable free connection whilst limiting and preventing malicious activity and uncontrolled sensitive data sprawl.

“The rapid growth in personal devices has left many universities with poorly designed networks unable to support the modern connected world. To prevent this from happening in the future, radical changes to the design of networks are required. AI threat detection and automated threat response can detect and remediate malicious activity, and restructuring the environment can isolate sensitive services from student activity. External threats are always a risk to universities, but the greatest threat will always be from the highly intelligent and inquisitive student body.

“Another complication for universities comes from the fact that creativeness is not limited to their students. Often their technology management teams find ways with a limited budget to achieve complex problem solving with creative scripting and integration. This leads to environments with excessive complexity which creates a much larger attack surface area as a result.

“Universities need to invest in their digital environment to enable them to modernise their data management practices, remove complexity, isolate sensitive services and enable the environment to understand threats quickly and react accordingly.  In this way they will give both internal and external malicious entities far fewer opportunities and a much shorter time to do it in.”

Training

The BBC suggests that a security analysis of cyber-attacks against universities and colleges in the UK has discovered staff or students could often be responsible, rather than organised crime or hacking groups.

Commenting on this, Nick Murison, managing consultant at Synopsys, said: 

“Some of this will come down to educating staff and students. Campus networks can feel like safe places for students to try their hand at hacking, with some of the activity being down to curiosity as opposed to any intentional malice.

“Staff may feel that their data doesn’t warrant much protection as it’s “just research data” that holds little commercial value, and so may not take appropriate steps to secure their systems. University IT departments are constantly battling “shadow IT”, with students and staff connecting various systems to the network that are not centrally managed, and are often not secured.

“Universities should ensure that everyone understands the impact of lax security and “messing around”, both through education campaigns and making it clear that there are real-world consequences for violating IT security policies, not to mention the law.

“Any threats are likely to be a combination of internal threats as well as external threats, where external attackers have managed to install malware on internal systems, and pivoting their attacks from the outside through internal systems. For example, if a Denial of Service attack seems to start and stop based on office hours, this could be down to a member of staff or a student turning their laptop or desktop computer on and off. The user of the computer may be entirely unaware of what is happening.

“Much like dealing with any other threat actor, it comes down to minimising risk through keeping systems up to date, enforcing strong security controls for both internal and external systems, and enforcing principles of least privilege. You cannot simply rely on a strong external perimeter; you have to harden all systems in anticipation of attacks from both the outside and the inside.”

The proportion of respondents reporting compulsory staff and student security awareness training has increased since 2017, but Jisc would like to see compulsory training for all staff and students. Of those taking part in this year’s survey, 55% of colleges provide compulsory staff security training and 31% insist students undertake a course. There is optional training for staff at 18% of responding colleges, and for students at 10%. But there is still room for improvement: 24% said there was no system of security awareness training for staff and 43% failed to teach students. 

Dr John Chapman, Head of security operations centre, Jisc, said:

“One of the most effective methods of discovering how good, or not, college defences are is to ask an independent expert to conduct a penetration test. Many more colleges have decided to do this in 2018 – only 14% don’t – than in 2017, when 41% did not test. And we are also pleased to note that colleges are far more interested in security assessments this year (76% up from 59% in 2017).

“We can draw the conclusion from this survey that colleges are taking cyber security seriously and acknowledge the risk of human error and the value of expert advice. However, there is still an air of complacency that needs addressing – colleges think they are in a better place than may in fact be the case.”

The Jisc survey was conducted over six weeks from the end of March until the middle of May and collected responses from 49 colleges and 65 universities.