A survey on the state of cybersecurity in the higher education sector, conducted by managed threat detection provider Redscan, revealed that nearly 54% of universities in the U.K. reported a data breach to the Information Commissioner’s Office (ICO) last year.
The survey report titled “The State of Cybersecurity across U.K. Universities” stated that around 46% of all university staff received no security training and 24% did not commission a penetration test from a third-party. Security training is key to building a safe cyber space however, there is a lack of staff and student awareness about the current threats, such as COVID-19 scams.
Endless Phishing Attacks
Defending against the constant stream of phishing scams remains a challenge for all universities. Several universities receive millions of spam and phishing emails each year, with one institution reporting a high of 130 million. Phishing scams are becoming endless and the volume of attempts has increased by 50% since 2019.
Other Key Findings include:
- Universities spend an average of £7,529 (US$ 9,729) per year on security training, with expenditure ranging from £0 to £49,000 (US$ 63,319)
- Universities employ, on average, three qualified cybersecurity professionals
- 51% of universities are proactive in providing security training and information to students
- 12% of universities do not offer any kind of security guidance, support, or training at all to students
- 66 out of 134 universities have Cyber Essentials or Cyber Essential Plus certification
- 65% of students say that they would be less likely to apply to a university with a reputation for poor cybersecurity
“Universities are targeted by criminals seeking financial gain, as well as by nation state attackers looking to steal intellectual property. The Redscan report raises concerns that many may not be doing enough to defend against the latest threats, particularly at a time when institutions are embracing remote teaching en masse and conducting world-changing research in relation to COVID-19. The impact of failing to address key security vulnerabilities could be disastrous. State-sponsored espionage has the potential to inflict long-term damage on U.K. universities by deterring funding for research and damaging public perception,” the U.K.’s National Cyber Security Centre (NCSC) said in a statement.
Redscan CTO, Mark Nicholls, said, “The fact that such a large number of universities don’t deliver cybersecurity training to staff and students, nor commission independent penetration testing, is concerning. These are foundational elements of every security program and key to helping prevent data breaches. Even at this time of intense budgetary pressure, institutions need to ensure that their cybersecurity teams receive the support they need to defend against sophisticated adversaries. Breaches have the potential to seriously impact organizations’ reputation and funding. The threat posed to universities by nation state attackers makes the need for improvements even more critical. The cost of failing to protect scientific research is immeasurable.”