From education to employment

‘Universities’ high-value data can be obtained by hackers in under two hours’: HEPI and Jisc call for university managers and governors to take urgent action

The Higher Education Policy Institute and the education sector’s technology not-for-profit, Jisc, have today jointly published How safe is your data? Cyber-security in higher education (HEPI Policy Note 12).

The paper reveals:

  • under penetration testing, there is a 100 per cent track record of gaining access to higher education institutions’ high-value data within two hours;
  • 173 higher education providers engaged with Jisc’s Computer Security Incident Response Team in 2018 (a 12 per cent increase); and
  • during 2018, there were more than 1,000 Distributed Denial of Service (DDoS) attacks detected at 241 different UK education and research institutions.

The paper highlights areas of concern, pinpoints the sources of cyber attacks and proposes specific actions universities should take to tackle the issue, including the adoption of a new British Standard on cyber risk and resilience

Dr John Chapman, Head of Jisc’s Security Operations Centre and the author of the report, said:

Cyber attacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat. 

While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment.

To avert a potentially disastrous data breach, or network outage, it is critical that all university leaders know what action to take to build robust defences.

Nick Hillman, Director of the Higher Education Policy Institute, said:

Universities hold masses of data on sensitive research, on the inventions of the future and on their staff and students, but some of it is not properly secured.

The two main functions of universities are to teach and to research. Students like having their personal data used to improve teaching and learning. But this support is conditional and is unlikely to survive a really serious data breach. Meanwhile, future UK economic growth is highly dependent on university research. This provides valuable information that a few unscrupulous foreign governments are keen to access.

Despite the challenges, cyber security is an area where we know how to make a difference, especially when there is leadership from the top. University managers and governors need to address cyber-security issues, including through the new British Standard on Cyber risk and resilience. Meanwhile, regulators need to consider imposing minimum cyber-security and network requirements to keep students and staff safe.

Professor David Maguire, Chair of Jisc and Vice-Chancellor of the University of Greenwich, said:

Universities are absolutely reliant on connectivity to conduct almost all their functions, from administration and finance to teaching and research. These activities accrue huge amount of data; this places a burden of responsibility on institutions, which must ensure the safety of online systems and the data held within them.

Developing strong cyber-security policies is vital not only to protect data, but also to preserve the reputation of our university sector. The HEPI / Jisc paper will help to draw higher education leaders’ attention to this important aspect of their work.

Barry McMahon, International Product Manager at LogMeIn, said:

“The report released by the Higher Education Policy Institute and HE digital services body ‘Jisc’ this morning reveals that the number and severity of cyberattacks at UK universities are growing year by year. This is a clear indication that higher education institutions are simply not equipped to tackle the looming threat of data breaches.

“The reality of cyber security is that most breaches come down to human factors, and of those factors, weak and easily guessed passwords are the number one reason that cyber criminals gain access to a system. We live in a hyperconnected world where students and staff alike expect constant connectivity across their devices, and unfortunately resort to reusing weak passwords out of convenience.

“The journey towards a stronger security posture is a two stage process – generating awareness and then taking action. There needs to be sufficient education around cyber awareness and the risks of weak and reused password habits. Often times, the solution lies in the adoption of simple and readily available applications such as password managers. These applications are easy to implement and can empower IT teams across UK institutions to increase security and productivity.

“Improving overall security is not something that happens overnight. It is only by going back to the basics that IT professionals can foster a culture of cyber awareness within the institution and ensure that UK universities have the necessary tools to fend off future network attacks.”

Related Articles