Security improvements vital as universities conduct key research and embrace remote teaching.
London, 28th July 2020
Redscan today released new research on the state of cyber security in the higher education sector. The study, based on an analysis of Freedom of Information requests, reveals that more than half of UK universities reported a data breach to the ICO in the last year. At the same time, 46% of all university staff received no security training and almost a quarter of institutions (24%) did not commission a penetration test from a third party. Read the blog here.
According to the UK’s National Cyber Security Centre (NCSC), universities are targeted by criminals seeking financial gain, as well as by nation state attackers looking to steal intellectual property. The Redscan report underscores the degree to which universities are an attractive target. It also raises concerns that many may not be doing enough to defend against the latest threats, particularly at a time when institutions are embracing remote teaching en masse and conducting world-changing research in relation to COVID-19.
Defending against an incessant stream of phishing attacks remains a challenge of all universities. Several institutions reported receiving millions of spam/phishing emails each year, with one reporting a high of 130 million. Phishing attempts were described as being “endless” and one university disclosed that attacks had increased by 50% since 2019.
Other key findings from the report include:
- 54% of universities reported a data breach to the ICO in the last 12 months*
- A quarter of universities haven’t commissioned a pen test from an external provider in the last year
- Only 54% of university staff have received security training during the last 12 months. One top Russell Group university has trained only 12% of its staff
- Universities spend an average of £7,529 per year on security training, with expenditure ranging from £0 to £49,000
- Universities employ, on average, three qualified cyber security professionals
- 51% of universities are proactive in providing security training and information to students
- 12% of universities do not offer any kind of security guidance, support or training at all to students
- 66 out of 134 universities have Cyber Essentials or Cyber Essential Plus certification
Redscan CTO, Mark Nicholls, commented: “UK universities are among the most well-respected learning and research centres globally, yet our analysis highlights inconsistencies in the approach institutions are taking to protect their staff, students and intellectual property against the latest cyber threats.
“The fact that such a large number of universities don’t deliver cyber security training to staff and students, nor commission independent penetration testing, is concerning. These are foundational elements of every security program and key to helping prevent data breaches.
“Even at this time of intense budgetary pressure, institutions need to ensure that their cyber security teams receive the support they need to defend against sophisticated adversaries. Breaches have the potential to seriously impact organisations’ reputation and funding.”
“The threat posed to universities by nation state attackers makes the need for improvements even more critical. The cost of failing to protect scientific research is immeasurable.”
Notes for editors
FOI requests were made to 134 universities in the UK, from which 86 responded. While the timescale for a FOI response is normally 20 working days, this was relaxed by the Information Commissioner’s Office (ICO) due to the COVID-19 pandemic, meaning that many responses took longer to obtain.
*It should be noted that not all data breaches are caused by cyber-attacks
Redscan is an award-winning provider of managed security services, specialising in threat detection and incident response.
Possessing a deep knowledge of offensive security, Redscan’s experts are among the most qualified in the industry, working as an extension of clients’ in-house resources to expose and address vulnerabilities plus swiftly identify and shut down breaches. Services offered include CREST accredited Penetration Testing, Red Teaming and Managed Detection & Response.
By understanding how attackers operate, leveraging cutting-edge threat intelligence, and offering highly acclaimed service, Redscan’s cyber security professionals can be trusted to provide the insight and support needed to successfully mitigate information security risk and achieve compliance standards.