A newly published policy paper warns that UK universities are highly vulnerable to cyber hacks.
The Higher Education Policy Institute and Jisc, the agency providing technology services to the sector, have said that penetration testing has shown a 100% record of gaining access to institutions’ high value data within two hours.
Written by Dr John Chapman, head of Jisc’s Security Operations Centre, the policy paper says that when the organisation carried out penetration testing of UK universities it took two hours or less to access the data every time.
A spokesperson told UKAuthority this refers to tests using spear phishing – in which fraudulent emails are targeted at people to reveal confidential information – on almost 50 universities over 18 months, all carried out at their own request.
The paper also draws on a survey of universities’ IT and security staff that showed only 15% scored their organisation as eight or more out of 10 for being well protected. The mean score was 5.9.
The reasons given for this included a lack of dedicated staff and budgets and a lack of policies.
In addition, during 2018 there were more than 1,000 distributed denial of service (DDoS) attacks detected at 241 UK education and research institutions; and 173 higher education providers engaged with Jisc’s Computer Security Incident Response Team, up by 12% on the previous year.
As part of the response, it urges organisations to adopt the BS31111 standard on cyber resilience, and says governing bodies and executive management should take control of cyber risk rather than leaving it solely to IT teams.
“Cyber attacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat,” Chapman said.
“While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cyber security knowledge, skills and investment.
“To avert a potentially disastrous data breach, or network outage, it is critical that all university leaders know what action to take to build robust defences.”