UK Cyber Education Risk photo
Katy Hinchcliffe

About the author

Katy Hinchcliffe: Head of Cyber Security at Littlefish



Share via:

UK Education Learns about Cyber Risk the Hard Way

29/04/2019


It is exam time and students across a university are using the Virtual Learning Environment to help with their revision. Suddenly the page they are on stops responding. They try refreshing it. The page still won’t load. They visit another web page – that doesn’t load either. The institution has just suffered a complete network outage thanks to a Distributed Denial of Service (DDoS) attack targeted at disrupting teaching and learning.

Higher education regularly experiences these kinds of scenarios. 173 different higher education providers engaged with JISC’s Computer Security Incident Response Team (the UK’s expert body for digital technology and digital resources in higher education, further education and research) in 2018 – a 12 percent increase on the previous year. Distributed Denial of Service attacks targeting higher education institutions are on the rise and successful breaches make headline news (as experienced by the University of Edinburgh last year).

Hackers gained access to all the institutions’ they tested within 2 hours

JISC’s latest report, published in April 2019 showed that when using spear phishing as part of its penetration testing service, JISC had a 100 per cent track record of gaining access to a higher education institution’s high value data within two hours. Security on JISC’s Janet Network Security Operations Centre handles more than 6,000 incidents or queries per year.

Organisations that do not adequately protect themselves not only risk the loss or exposure of personal student and staff data but also commercial, institutional and research data and other intellectual property that are valuable to cyber criminals operating internationally.

Can Your Institution or Business Answer these Questions?

It’s clear that protecting networks and data should be a high priority for all business leaders. But do Higher Education institutions’ leaders fully understand the scale of the risk? In order to assess the risks they face and to benchmark their position on security, these ten questions need to be addressed:

  • Where is data stored?
  • Who has access?
  • Are systems patched and up to date?
  • Are there regular vulnerability scans as part of a vulnerability management process?
  • Are users trained in security awareness?
  • Is there an incident response plan in place?
  • Do users understand who should be contacted when guidance or help is needed?
  • Are monitoring and mitigation systems in place?
  • Are they addressing the ‘right’ kinds of risk?
  • Is the network provider mitigating Denial of Service attacks which could bring down the network?

 

The Biggest Enemy – Complacency

High-profile data breaches and cyber-attacks make headlines, but the barrage of such news may, counter-intuitively, lead to complacency. It becomes almost background ‘noise’. Higher education institutions should consider the value of their data and their students’ data. How damaging could it be to an institution if it were to suffer an information breach?

Major data breaches in 2018 may have been on a bigger scale – the Marriott Hotels leak of 500 million customer records; the MyFitnessPal (150 million records); Quora (100 million user accounts); MyHeritage (over 90 million accounts); and Facebook (up to 90 million accounts) all made headlines for their sheer size – but the potential loss of cutting-edge research, the bad publicity and financial penalties make cyber security for universities, as all businesses, crucial.

Universities safeguard incredibly valuable and commercially-sensitive research data, of interest to organised criminals and some less than scrupulous nation-states.

State-sponsored Threats as well as Criminal Extortion Activity

There were two such large-scale incidents that affected higher education institutions in 2018.  Iranian hackers (affiliated to a criminal organisation – but with an alleged tacit backing of the government – called the Mabna Institute) targeted UK universities via the ‘Silent Librarian’ campaign. In addition, from a shadowy, North Korean group, the ‘Stolen Pencil’ campaign, specifically targeted individual academics with emails designed to trick them into downloading a malicious extension to the Google Chrome web browser.

During 2018, phishing attacks became more sophisticated in their attempts to target the education sector, employing greater contextualisation and personalisation.

For example, around the beginning of term times, there has been an increase in student grant fraud. This is where students are sent phishing emails purporting to offer free grants or requesting that bank details are updated so student loans can be paid.

‘Spear phishing’ attacks, where specific individuals are targeted with requests for information, have also become increasingly common. One example includes ‘CEO fraud’ where criminals send urgent transfer requests via email to finance departments, impersonating senior members of staff in an attempt to trick them into transferring funds into the fraudster’s bank account. JISC’s own Chief Executive and Finance Department have been targeted in this way.

It’s not only in Higher Education where the risk is great.

Hackers used ransomware to encrypt files at a secondary school, causing it to lose some students’ GCSE coursework in March, according to a BBC News report, when a member of staff mistakenly opened an email containing a virus. The email claimed to be from a colleague at another Dorset school and infected the computer network.

Coursework from one subject submitted by Year 11 students, which was saved on the school’s system, was lost.

Schools, Universities and Hospitals Particularly at Risk

Unfortunately, schools and other public institutions, such as hospitals, have become regular victims because hackers think they will be less likely to be following good cyber security practices, often because of budgetary constraints.

Falling victim can be hugely damaging to reputation – and a school which has lost GCSE coursework as a result of an attack will create emotional, as well as financial damage, for pupils and their parents. School leaders were urged by the government to take action after a “significant increase” in cyber-attacks on academy trusts were recorded.

The school in Dorset said at the time of the report that specialists were working to try and rectify the issue, which also meant Year 9 and 10 reports were delayed.

A team of specialists carried out tests on cyber security in the education sector and took an average of four hours to take over a school’s IT network. What would happen if a well-meaning administrator or other member of staff, accidently emailed a sensitive file to a mailing list rather than an individual because they had not been trained on safe and secure methods of data handling? What if there were no vulnerability management policy in place so a security weakness on the institution’s website went undetected, allowing access to the network by a criminal who can then siphon off commercially sensitive research data?

Read the full JISC report here.

Learn more about how Littlefish can help you to mitigate risks in your business.

Your People: Security Weakness or Effective Threat Warning System? Turn your biggest security risk into your biggest asset to help defend against potential cyber attacks. Download the 'Your People: Security Weakness or Effective Threat Warning System?' Whitepaper to to learn more. Download now



Read More

Littlefish renews Official Partnership with Nottingham Forest Football Club

30/08/2019

Global Managed IT Services provider Littlefish have renewed its official partnership with Nottingham Forest Football Club for the 2019-20 season, ...


Read More
Croydon Council Photograph

Largest London Borough Seeks Littlefish

26/06/2019

The London Borough of Croydon, the capital’s largest borough by number of households, has signed a £multi-million deal with Managed ...


Read More
Simon White Photo

Littlefish Academy: Learning is a Journey

20/06/2019

Littlefish’s in-house learning Academy offers a range of career-specific learning tracks, offering employees not only the chance to gain the ...


Read More
Littlefish Best Companies One to Watch 2019 Photo

Littlefish Double-Winners

10/05/2019

Can you name the football teams who’ve won ‘The Double’ (the League title and FA Cup in the same year?) ...


Read More
UK Cyber Education Risk photo

UK Education Learns about Cyber Risk the Hard Way

29/04/2019

It is exam time and students across a university are using the Virtual Learning Environment to help with their revision. ...


Read More
Littlefish ITIL v.4 training session

ITIL v4 – A Shared Language of Quality

25/04/2019

Already being ITIL-aligned meant it was a straightforward decision for Littlefish to become early-adopters of version 4 when it was ...


Get in touch

To learn more about how our Managed IT Service solutions can be tailored to meet the needs of your business, contact us over the phone, email or via our Live Chat service.

 

Call Email Live Chat

Littlefish wins Commitment to People Development Award

Nottingham headquartered global Managed IT Services Provider Littlefish won the ‘Commitment to People Development Award’ at the East Midlands Chamber ...

Adam Allcock
Adam Allcock
19/09/2019
Read More
Commitment to People Development Award
Featured Article
Read More

Littlefish renews Official Partnership with Nottingham Forest Football Club

Global Managed IT Services provider Littlefish have renewed its official partnership with Nottingham Forest Football Club for the 2019-20 season, ...

Simon Jenkinson
Simon Jenkinson
30/08/2019
Latest News
Read More
Croydon Council Photograph

Largest London Borough Seeks Littlefish

The London Borough of Croydon, the capital’s largest borough by number of households, has signed a £multi-million deal with Managed ...

Simon Jenkinson
Simon Jenkinson
26/06/2019
Latest News
Read More
Littlefish Best Companies One to Watch 2019 Photo

Littlefish Double-Winners

Can you name the football teams who’ve won ‘The Double’ (the League title and FA Cup in the same year?) ...

Simon Jenkinson
Simon Jenkinson
10/05/2019
Latest News

Our Partners

aq_block_4
aq_block_5
aq_block_6
aq_block_7
aq_block_8
aq_block_10
aq_block_11
aq_block_12
aq_block_13
aq_block_14