UK universities under cyberattack, can higher education defend itself?

Universities hold research data, intellectual property and other valuable information

Britain's universities are a globally-prized repository of research data, intellectual property and employ some of the world's foremost thinkers on a wide range of subjects. To wit, this makes them an obvious target for the world's cybercriminals, including those with political as well as commercial motivations. Universities also host hundreds of thousands of students and teachers, who must count as the most difficult network users imaginable because they are often workers and customers at the same time.

It is surprising that almost no effort has gone into finding out how well this vital sector has been coping with the cybercrime phenomenon. Recently, software firm VMware has had a stab at redressing this in a report that questioned senior IT people at 50 of the UK's universities, the results of which gives an interesting insight into the possible damage that is being done and the dilemmas faced by these institutions when defending themselves.

Computerworld UK is normally sceptical about vendor-driven surveys based on small sample sizes but in the case of universities, 50 institutions is roughly a third of the entire sector and offers a good number to start building a picture of what might be going on.

On some levels, VMware's findings are much as might be expected - universities are being aggressively targeted in much the same way as many other sectors in the UK and beyond. The study doesn't offer a lot of detail but does at least raise some larger and pertinent issues.

Students are the primary target: In terms of the volume of attacks, the main target for external hackers is students, although half of the university professionals also rated students as being a major risk in and of themselves. Most of this was down to ignorance of security risks and a cavalier attitude to online safety mixed with a small level of deliberately malicious behaviour.

Frequency of attacks: Nine out of ten universities admitted to having suffered at least one successful cyberattack (e.g. on students or theft of IP) with about the same number believing these to be increasing. A third of universities said these were now happening on an hourly basis.

Types of attack: Following on from this, slightly more than four in ten universities had experienced the loss of student data including dissertation materials and exam results, 25 percent had experienced the loss of IP while 28 percent reported that research data had been the main target.

Are universities defences up to the job? Universities are publically-funded and, in the UK at least, always short of money. Not surprisingly, two thirds said that their existing IT infrastructure was not up to the job, a quarter thought their datacentre was 'inadequate' while almost nine in ten believed more funding would be necessary to protect university IP going forward.

Too much old equipment: Universities are still over-reliant on a lot of traditional security such as firewalls and antivirus that wouldn't have been out of place in the 1990s, suggests VMWare's UK Government and Public Services director, Tim Hearn. Perhaps, then, it is about money, at least in part. Equipment will have to replaced in the immediate future, a time when budgets will be under huge pressure. A deeper question is whether universities have specialised needs - balancing a need to share but also protect - that can't easily be protected by general-purpose IT security architectures. University IT defeats simple models of perimeter security, especially as a rapid migration to cloud computing continues apace.

Security doesn't add enough obvious value: No student or staff member assesses a university's security posture before agreeing to study or work there. It is just assumed that security has been dealt with. This might be changing. Reputational damage seems remote for universities but that might no longer be the case with nearly eight in ten claiming to have suffered loss of reputation as the result of a cyberattack.

Reaching vice chancellors: Every enterprise security 101 implores organisations to bridge the culture gap between managers, in this case vice chancellors, and IT. In universities, which are complex organisations, that might be easier said than done. University management structures seem to vary from institution to institution.

Reconciling complex values such as openness: According to VMWare's Hearn, the problem is less about not having the money to fix problems as having to reconcile security with the understandably deeply-ingrained value of openness on which universities are founded.

"The whole idea of a university is to encourage openness. There has been a reluctance to invest in security that might compromise that," he told Computerworld UK. "It is incredibly difficult to get the balance right." This culture of openness also explains why valuable and sometimes sensitive data and code is sometimes posted on public forums when it shouldn't be.

Universities as businesses in denial: Are these values of openness out of date? In short, no, but the conception of how universities work is changing in subtle ways. Universities and researchers scramble for money in a funding market with finite resources and yet universities still struggle to think of themselves as full-fledged businesses. If they did, VMWare suggests, they might invest more in security and secure processes.

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place