Colleges under-estimate risk of cyber attacks
Earlier this year, the FE and HE technology solutions not-for-profit, Jisc, conducted a survey of its members to find out their attitudes towards cyber security. Here, the author of the survey, Jisc’s head of security operations centre, Dr John Chapman, talks about the main findings:
A new survey* of cyber security attitudes across the further and higher education sectors indicates that colleges are over-estimating their ability to guard against cyber attacks.
When asked to assess their perceived level of protection, 43% of colleges scored their organisation eight or more out of ten, while the mean score was 7.1, which was more optimistic than universities’ mean score of 5.9.
This optimism is despite the fact that the survey also found colleges have less in the way of budget allocation and specialist staff than universities, and are far less likely to have achieved the government’s Cyber Essentials standard. On the plus side, many more colleges this year (29% compared to 3% in 2017) are working towards Cyber Essentials.
The survey results are released just a couple of months after Jisc’s CEO, Paul Feldman, warned that a lack of resources and investment meant colleges are not as well defended against cyber attacks as they should be, and colleges still appear to be unrealistic about the risk.
Our data shows that, in the first six months of this year, colleges were targeted by 225 DDoS attacks (designed to bring down the network). This represents an increase of 35% compared to January to June 2017. Jisc’s security operations centre also handled almost three times as many other security incidents or queries from FE colleges over the same period.
Through regular meetings with members, we know colleges have concerns over security, so the relatively high posture assessment was surprising. On the other hand, colleges know that Jisc is here to support them – preventing some attacks and helping them to recover from breaches – so they feel secure. We are concerned that their optimism could be due to the lack of security specialists working in the FE sector, leaving colleges in the dark.
What are the biggest threats?
Lack of awareness and accidental breaches – such as emailing sensitive data to the wrong recipients – are considered by colleges to be the biggest threat to their cyber security, according to the survey. Ransomware/malware comes in at number two, followed by phishing and social engineering, such as clicking on dodgy email links or being tricked into giving away passwords. External attacks aimed at the college and DDoS attacks complete the top five threats.
Colleges are right to be concerned about the risk of human error to cyber safety since duping staff and students is the most common method employed by criminals to infiltrate systems, steal data and commit fraud and other crime. Phishing attacks and social engineering are become more sophisticated and difficult to spot, so good security training and using a second factor for authentication for users is essential.
From Russia without love
A surprising outcome of this year’s survey is that our members seem unconcerned about one of the threats that is big in the media and high on the list of priorities for security agencies. Earlier this year, the National Cyber Security Centre took the rare step of publicly naming a nation state when it published a document in collaboration with US security agencies stating that Russian state-sponsored cyber actors were targeting network-based intrusion detection system (NIDS) devices.
However, only one person who responded to our survey last year, or this, listed the threat from nation states as a worry. Perhaps that is understandable, given the multitude of more common threats to the education sector, but complacency is dangerous: the education and research sector is just as much of a target as other sectors in the UK.
It’s true that, if a specific threat actor is determined to attack your institution, then there may be little you can do, but if they are trying to find an easy victim to use to attack another site (whether inside or outside the education sector) then there is much you can do to make your organisation an unattractive target.
Protection
One of the most effective ways to guard against the top threats is to educate users. Of those taking part in this year’s survey, 55% of colleges provide compulsory staff security training and 31% insist students undertake a course. There is optional training for staff at 18% of responding colleges, and for students at 10%. But there is still room for improvement: 24% said there was no system of security awareness training for staff and 43% failed to teach students.
While it is encouraging to see the proportion of respondents reporting compulsory staff and student security awareness training has increased since 2017, we would like to see compulsory training for all staff and students.
One of the most effective methods of discovering how good, or not, college defences are is to ask an independent expert to conduct a penetration test. Many more colleges have decided to do this in 2018 – only 14% don’t – than in 2017, when 41% did not test. And we are also pleased to note that colleges are far more interested in security assessments this year (76% up from 59% in 2017).
We can draw the conclusion from this survey that colleges are taking cyber security seriously and acknowledge the risk of human error and the value of expert advice. However, there is still an air of complacency that needs addressing – colleges think they are in a better place than may in fact be the case.
Dr John Chapman, Head of security operations centre, Jisc
About Dr John Chapman: He has been working in educational technology for over 10 years, developing policy and strategy on a national level in the areas of information security and access and identity management. He has experience of leading strategic programmes across the educational landscape in the UK, including developing Jisc’s access and identity management strategy and security products and services strategy.
*The survey was conducted over six weeks from the end of March until the middle of May and collected responses from 49 colleges and 65 universities.
Responses