The results from this week’s university hacking test are shocking - but things are only going to get worse. Cybercrime is not going away, in fact it is growing in scale despite organisations efforts to prevent it. So what can we do about it?
The UK’s university cyber security defences were shown to be in dire straits last week when ethical hackers were able to access "high-value" data within just two hours.
Over 50 universities in the UK took part in ethical hacking attacks (penetration testing) to see how easy it is for real cyber criminals to access sensitive information.
During the tests, carried out by not-for-profit agency Jisc, the hackers discovered personal data, finance systems and research networks.
A report into their effectiveness, published by Jisc (formerly the Joint Information Systems Committee) and the Higher Education Policy Institute (Hepi), showed a 100% success rate in getting through the cyber-defences.
Within two hours, and in some cases one hour, they were able to reach student and staff personal information, override financial systems and access research databases, largely through phishing.
But this is nothing new.
Universities and the research projects that take place within them are major hacking targets, with more than 1,000 cyber-attacks last year across more than 200 institutions.
The threat is of national importance as university projects often contain sensitive research data as well as personal data about their students. The National Cyber Security Centre (NCSC), part of the GCHQ intelligence service, said most attacks on UK universities were related to phishing and attempts to gain entry for ransomware and malware. But overseas states also targeted universities to steal intellectual property and "gain technological advantage”.
Consider what it would mean if new research on the latest drug to help beat cancer is stolen and destroyed. It could mean:
• Loss of data setting back research many years
• Impact on potential cures and people's lives
• If that research is stolen by hackers in another country, they may well release the data and get paid vast sums by a 3rd party.
• New research grants may go to a rival country or company in future
• Loss of reputation and trust
What would the cost be if personal information is stolen?
• The sensitive data maybe sold to aid crime
• The victims may lose credit ratings
• Victims maybe accused of crimes they have not committed
• Victims maybe chased by creditors for loans or debts they have not taken out
• Immeasurable stress caused to victims and families.
MPs and peers on the Joint Committee on the National Security Strategy have called for greater urgency in improving cyber-security. A report by the committee warned of "potentially devastating" attacks on the UK's critical national infrastructure.
A Universities UK spokeswoman said university leaders were working with the NCSC to "help improve and strengthen security practices to better protect the sector from cyber threats".
"Data security is an absolute priority," she added.
Bridgeway's Technical Director Paul Jacka says: "We are educating the minds of our countries future, so surely, we must ensure their identities and research are protected. Plus if we install solid cyber security awareness skills into these bright minds, they can take those skills into their new jobs in major corporations and spread the word of how we can and must beat cyber criminals.
So what next?
It’s pretty clear that all UK universities need to be equipped with adequate cyber-security knowledge, skills and investment against this evolving threat. This research supports our own experience and thoughts on cyber resilience.
Bridgeway assist many customers in simple and cost effective ways to improve their security, awareness and in some cases utilising technology to help defeat cyber attacks. We have been working with many organisations to help them tool up against hackers, one of the most useful being our cyber security awareness training course. Phishing attacks are getting smarter and more sophisticated in their approach and more and more often these email scams look like legitimate correspondence from a trusted source. In this way, your users (both staff and students) are really your last line of defence and it is crucial to train them to be astute in recognising hacks and scams, before it's too late.
For more information or to speak to one of our cyber security experts please email firstname.lastname@example.org or call 01223 979 090.