A new report from Redscan sheds light on how well prepared UK universities are to protect staff, students and vital research against the latest cyber threats.
In March 2020, Redscan sent Freedom of Information (FOI) requests to 134 universities across the UK. The aim was to understand more about the frequency of data breaches in the sector and some of the steps institutions are taking to prevent them. The focus on universities was due to the integral role these organisations play in conducting world-changing research and shaping the skills and knowledge of the workforce.
The results of the FOI request are available to download in a short report.
Key report findings include:
- In the last 12 months, just over half of universities reported at least one data breach to the Information Commissioner’s Office (ICO)
- A quarter of universities have not commissioned a penetration test from a third-party provider
- Only 54% of university staff nationwide have received security training
Why are universities targeted by cybercriminals?
UK universities are pioneers of world-leading research and hold large volumes of intellectual property and student data. This valuable information makes them an attractive target for financially-motivated cybercriminals, as well as nation states that want to gain an advantage over international rivals.
The impact of failing to address key security vulnerabilities could be disastrous. State-sponsored espionage has the potential to inflict long-term damage on UK universities by deterring potential funders and damaging public perception and popularity with prospective students.
The COVID-19 pandemic has created serious problems for the sector, with research by the Institute for Fiscal Studies suggesting that as many as 13 UK universities could face financial disaster.
“Even at this time of intense financial pressure, institutions need to ensure that cyber security teams receive the support they need to protect against sophisticated adversaries. Breaches have the potential to seriously impact organisations’ reputation and funding.” – Mark Nicholls, CTO, Redscan
Redscan’s report reveals interesting findings in a number of key areas, including:
54% of universities have reported at least one data breach to the ICO in the last 12 months, with an average of two reports per university. Two universities reported six breaches each.
A quarter of universities have not commissioned a penetration test from a third-party provider in the last year. Of those universities that commissioned pen testing from a third-party, the average number of tests was just under three per university. Only 29% of universities commissioned more than one third-party penetration test.
Security awareness training
Universities spend an average of just £7,529 per year on security training for staff, with investment ranging from £0 to £49,000. 51% of universities are proactive in providing security training and information to students. 12% do not offer any kind of security guidance, support or training to students.
“UK universities are among the most well-respected learning and research centres globally, yet our analysis highlights inconsistences in the approach institutions are taking to protect their staff, students and intellectual property against the latest cyber threats. The cost of failing to protect scientific research is immeasurable.” – Mark Nicholls, Redscan CTO
Redscan is an award-winning provider of managed security services, specialising in threat detection and incident response. Possessing a deep knowledge of offensive security, Redscan’s experts are among the most qualified in the industry, working as an extension of clients’ in-house resources to expose and address vulnerabilities plus swiftly identify and shut down breaches. Services offered include Managed Detection & Response, CREST accredited Penetration Testing and Red Teaming.