UK universities are not acting quickly enough to educate their staff and students about cyber threats, with 46% of university staff receiving no training, and 12% of universities not offering any kind of security guidance to staff and students.
According to a recent report from security firm Redscan, 54% of UK universities reported a data breach to the Information Commissioner's Office in the last twelve months, yet a majority of universities are still found lacking when it comes to imparting cyber security training to staff and students, expenditure on security, carrying out pen testing, or hiring cyber security professionals.
Information obtained by the security firm from 134 universities in the UK via a Freedom of Information request revealed that even though universities find themselves at the end of millions of phishing emails every year, the average university is spending only £7,529 per year on security training and is hiring just three qualified cyber security professionals.
The state of cyber security in UK universities is such that facts indicate there is no real seriousness in protecting intellectual property, precious research work, or the personal data of staff and students from cyber criminals who use a range of phishing tactics to lure universities into sending over money or data or carry out DDoS attacks to shut down IT networks.
Many a time, universities suffer data breaches due to errors committed by employees when storing or handling the personal data of staff and students. Such data leaks or breaches can be avoided if staff are provided adequate cyber security training and are educated about various online threats.
Almost half of all university staff received no security training in the last year
However, Redscan learned that only 66 out of 134 UK universities have Cyber Essentials or Cyber Essential Plus certification, 49% are not proactive in providing security training and information to students, 12% of universities do not offer any kind of security guidance, support or training at all to students, and 46% of all university staff in the UK received no security training in the last year.
“UK universities are among the most well-respected learning and research centres globally, yet our analysis highlights inconsistencies in the approach institutions are taking to protect their staff, students and intellectual property against the latest cyber threats,” said Mark Nicholls, CTO of Redscan.
“The fact that such a large number of universities don’t deliver cyber security training to staff and students, nor commission independent penetration testing, is concerning. These are foundational elements of every security programme and key to helping prevent data breaches.
“Even at this time of intense budgetary pressure, institutions need to ensure that their cyber security teams receive the support they need to defend against sophisticated adversaries. Breaches have the potential to seriously impact organisations’ reputation and funding.”
“The threat posed to universities by nation-state attackers makes the need for improvements even more critical. The cost of failing to protect scientific research is immeasurable,” Nicholls added.
Cyber attacks on UK universities are damaging the UK’s knowledge advantage: NCSC
The threat of cyber criminals targeting vulnerable staff at universities who have not been provided training about online threats is very real. Recently, the National Cyber Security Centre warned in an advisory to UK universities that nation-state hackers could cause long-term damage as persistent cyber attacks weaken the UK’s knowledge advantage, damage the value of research, and result in a fall in investment by public or private sector.
NCSC noted that "state espionage will continue to pose the most significant threat to the long-term health of both universities and the UK itself", adding that there is a realistic possibility that "the threat will increase in-line with increased scrutiny of foreign direct investment and the minimising of other avenues to gain insight and advantage."
The cyber security watchdog added that state-sponsored hackers target universities in the UK primarily to gain access to email accounts of faculties and other staff, to gain access to bulk personal information on staff and students, and to gain access to technical resources, sensitive research, and intellectual property.
Nation-state hackers are usually given the task of gaining access to and stealing advanced intellectual property research carried out by UK universities as gaining access to such research will allow their sponsor nations to advance their equivalent research efforts, military or security apparatus.
If universities lose their intellectual property and advanced research work to hackers on a regular basis, it will damage the value of their impacted research and intellectual property and as a result, diminish their attractiveness, relevance, and value over a period of time.