Test shows "ethical hackers" got high value data from universities in two hours

A test of the cyber security of universities has revealed that "hackers" were able to obtain "high-value" data within two hours.

The tests were conducted for a report by the Higher Education Policy Institute (HEPI) and Jisc

The report reveals that under penetration testing (ethical hacking), there is a 100 per cent track record of gaining access to universities’ high-value data within two hours.

173 higher education providers engaged with Jisc’s Computer Security Incident Response Team (CSIRT) in 2018 (a 12 percent increase).

During 2018, there were more than 1,000 Distributed Denial of Service (DDoS) attacks detected at 241 different UK education and research institutions

The paper highlights areas of concern, pinpoints the sources of cyber attacks and proposes specific actions universities should take to tackle the issue, including the adoption of a new British Standard on cyber risk and resilience.

Dr John Chapman, head of Jisc’s security operations centre and the author of the report, said: “Cyber attacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat.

“While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cyber security knowledge, skills and investment.
“To avert a potentially disastrous data breach, or network outage, it is critical that all university leaders know what action to take to build robust defences.”

Nick Hillman, director of HEPI, said: “Universities hold masses of data on sensitive research, on the inventions of the future and on their staff and students, but some of it is not properly secured.

“The two main functions of universities are to teach and to research. Students like having their personal data used to improve teaching and learning. But this support is conditional and is unlikely to survive a really serious data breach. Meanwhile, future UK economic growth is highly dependent on university research. This provides valuable information that a few unscrupulous foreign governments are keen to access.

“Despite the challenges, cyber security is an area where we know how to make a difference, especially when there is leadership from the top. University managers and governors need to address cyber security issues, including through the new British Standard on cyber risk and resilience. Meanwhile, regulators need to consider imposing minimum cyber security and network requirements to keep students and staff safe.”

Read more