Katy Hinchcliffe

About the author

Katy Hinchcliffe: Head of Cyber Security at Littlefish



Share via:

UK Education Learns about Cyber Risk the Hard Way

29/04/2019


It is exam time and students across a university are using the Virtual Learning Environment to help with their revision. Suddenly the page they are on stops responding. They try refreshing it. The page still won’t load. They visit another web page – that doesn’t load either. The institution has just suffered a complete network outage thanks to a Distributed Denial of Service (DDoS) attack targeted at disrupting teaching and learning.

Higher education regularly experiences these kinds of scenarios. 173 different higher education providers engaged with JISC’s Computer Security Incident Response Team (the UK’s expert body for digital technology and digital resources in higher education, further education and research) in 2018 – a 12 percent increase on the previous year. Distributed Denial of Service attacks targeting higher education institutions are on the rise and successful breaches make headline news (as experienced by the University of Edinburgh last year).

Hackers gained access to all the institutions’ they tested within 2 hours

JISC’s latest report, published in April 2019 showed that when using spear phishing as part of its penetration testing service, JISC had a 100 per cent track record of gaining access to a higher education institution’s high value data within two hours. Security on JISC’s Janet Network Security Operations Centre handles more than 6,000 incidents or queries per year.

Organisations that do not adequately protect themselves not only risk the loss or exposure of personal student and staff data but also commercial, institutional and research data and other intellectual property that are valuable to cyber criminals operating internationally.

Can Your Institution or Business Answer these Questions?

It’s clear that protecting networks and data should be a high priority for all business leaders. But do Higher Education institutions’ leaders fully understand the scale of the risk? In order to assess the risks they face and to benchmark their position on security, these ten questions need to be addressed:

  • Where is data stored?
  • Who has access?
  • Are systems patched and up to date?
  • Are there regular vulnerability scans as part of a vulnerability management process?
  • Are users trained in security awareness?
  • Is there an incident response plan in place?
  • Do users understand who should be contacted when guidance or help is needed?
  • Are monitoring and mitigation systems in place?
  • Are they addressing the ‘right’ kinds of risk?
  • Is the network provider mitigating Denial of Service attacks which could bring down the network?

 

The Biggest Enemy – Complacency

High-profile data breaches and cyber-attacks make headlines, but the barrage of such news may, counter-intuitively, lead to complacency. It becomes almost background ‘noise’. Higher education institutions should consider the value of their data and their students’ data. How damaging could it be to an institution if it were to suffer an information breach?

Major data breaches in 2018 may have been on a bigger scale – the Marriott Hotels leak of 500 million customer records; the MyFitnessPal (150 million records); Quora (100 million user accounts); MyHeritage (over 90 million accounts); and Facebook (up to 90 million accounts) all made headlines for their sheer size – but the potential loss of cutting-edge research, the bad publicity and financial penalties make cyber security for universities, as all businesses, crucial.

Universities safeguard incredibly valuable and commercially-sensitive research data, of interest to organised criminals and some less than scrupulous nation-states.

State-sponsored Threats as well as Criminal Extortion Activity

There were two such large-scale incidents that affected higher education institutions in 2018.  Iranian hackers (affiliated to a criminal organisation – but with an alleged tacit backing of the government – called the Mabna Institute) targeted UK universities via the ‘Silent Librarian’ campaign. In addition, from a shadowy, North Korean group, the ‘Stolen Pencil’ campaign, specifically targeted individual academics with emails designed to trick them into downloading a malicious extension to the Google Chrome web browser.

During 2018, phishing attacks became more sophisticated in their attempts to target the education sector, employing greater contextualisation and personalisation.

For example, around the beginning of term times, there has been an increase in student grant fraud. This is where students are sent phishing emails purporting to offer free grants or requesting that bank details are updated so student loans can be paid.

‘Spear phishing’ attacks, where specific individuals are targeted with requests for information, have also become increasingly common. One example includes ‘CEO fraud’ where criminals send urgent transfer requests via email to finance departments, impersonating senior members of staff in an attempt to trick them into transferring funds into the fraudster’s bank account. JISC’s own Chief Executive and Finance Department have been targeted in this way.

It’s not only in Higher Education where the risk is great.

Hackers used ransomware to encrypt files at a secondary school, causing it to lose some students’ GCSE coursework in March, according to a BBC News report, when a member of staff mistakenly opened an email containing a virus. The email claimed to be from a colleague at another Dorset school and infected the computer network.

Coursework from one subject submitted by Year 11 students, which was saved on the school’s system, was lost.

Schools, Universities and Hospitals Particularly at Risk

Unfortunately, schools and other public institutions, such as hospitals, have become regular victims because hackers think they will be less likely to be following good cyber security practices, often because of budgetary constraints.

Falling victim can be hugely damaging to reputation – and a school which has lost GCSE coursework as a result of an attack will create emotional, as well as financial damage, for pupils and their parents. School leaders were urged by the government to take action after a “significant increase” in cyber-attacks on academy trusts were recorded.

The school in Dorset said at the time of the report that specialists were working to try and rectify the issue, which also meant Year 9 and 10 reports were delayed.

A team of specialists carried out tests on cyber security in the education sector and took an average of four hours to take over a school’s IT network. What would happen if a well-meaning administrator or other member of staff, accidently emailed a sensitive file to a mailing list rather than an individual because they had not been trained on safe and secure methods of data handling? What if there were no vulnerability management policy in place so a security weakness on the institution’s website went undetected, allowing access to the network by a criminal who can then siphon off commercially sensitive research data?

Read the full JISC report here.

Learn more about how Littlefish can help you to mitigate risks in your business.

Your People: Security Weakness or Effective Threat Warning System? Turn your biggest security risk into your biggest asset to help defend against potential cyber attacks. Download the 'Your People: Security Weakness or Effective Threat Warning System?' Whitepaper to to learn more. Download now



Read More

UK Education Learns about Cyber Risk the Hard Way

29/04/2019

It is exam time and students across a university are using the Virtual Learning Environment to help with their revision. ...


Read More

ITIL v4 – A Shared Language of Quality

25/04/2019

Already being ITIL-aligned meant it was a straightforward decision for Littlefish to become early-adopters of version 4 when it was ...


Read More

Liverpool FC declared Champions of Guessable Passwords

25/04/2019

When it comes to Premier League football teams and guessable passwords, Liverpool are already confirmed as champions and Chelsea are ...


Read More
Littlefish Cyber Security User Education Awareness Header

Latest Government Cyber Security Survey indicates Growing Awareness but Action Needed

08/04/2019

The latest Cyber Security survey from the Government’s Department for Digital, Culture, Media & Sport, released April 3rd, reports a ...


Read More
Littlefish CEO Steve Robinson

LDC backs Littlefish

02/04/2019

Managed IT Services Provider Littlefish has secured a minority investment from leading mid-market private equity investor LDC. The investment will ...


Read More

How can organisations use progressive phishing training to keep endpoints safe?

22/03/2019

Users are central to most phishing attacks, someone who, usually inadvertently, gives an attacker a foothold to exploit: users therefore ...


Get in touch

To learn more about how our Managed IT Service solutions can be tailored to meet the needs of your business, contact us over the phone, email or via our Live Chat service.

 

Call Email Live Chat

Littlefish Double-Winners

Can you name the football teams who’ve won ‘The Double’ (the League title and FA Cup in the same year?) ...

Simon Jenkinson
Simon Jenkinson
10/05/2019
Read More
Littlefish Best Companies One to Watch 2019
Featured Article
Read More

UK Education Learns about Cyber Risk the Hard Way

It is exam time and students across a university are using the Virtual Learning Environment to help with their revision. ...

Katy Hinchcliffe
Katy Hinchcliffe
29/04/2019
Latest News
Read More

ITIL v4 – A Shared Language of Quality

Already being ITIL-aligned meant it was a straightforward decision for Littlefish to become early-adopters of version 4 when it was ...

Emma Maraio
Emma Maraio
25/04/2019
Latest News
Read More

Liverpool FC declared Champions of Guessable Passwords

When it comes to Premier League football teams and guessable passwords, Liverpool are already confirmed as champions and Chelsea are ...

Katy Hinchcliffe
Katy Hinchcliffe
25/04/2019
Latest News

Our Partners

aq_block_4
aq_block_5
aq_block_6
aq_block_7
aq_block_8
aq_block_10
aq_block_11
aq_block_12
aq_block_13
aq_block_14