John Chapman, Head of security operations centre, Jisc
Adenike Cosgrove, Cybersecurity strategist, Proofpoint
Andy Jarvis, Strategic account director, NCC Group
Richard Huison, Regional manager, Gallagher Security (Europe)
Q. What are the biggest cybersecurity threats that universities face, in terms of personal and financial security?
John Chapman: Phishing has been the top threat mentioned in Jisc’s annual cybersecurity posture survey for the last three years. The number of phishing incidents reported to the Janet Network computer security incident response team (CSIRT) this year has been significantly higher than previous years, and we have also noticed a trend towards more sophisticated campaigns.
People-related incidents are the second most frequently mentioned threat for HE – whether due to accidents or students and staff not always following correct procedures because they are either unaware of, or resistant to, them.
Adenike Cosgrove: Email phishing is the most common vector for security compromises, and students and universities are especially vulnerable. Cybercriminals lure students and staff by disguising emails as messages from the university IT department, administration, a campus group, or student loan provider. Threat actors know that a phishing email that appears to originate from a trusted associate or fellow university is far more likely to be clicked than an email from an unknown source.
We tend to see upticks in phishing activity as new students activate their accounts for the first time and begin receiving high volumes of university-related email. Compromised student systems and logins represent a problem for student and university alike.
Criminals who target a specific university are looking to breach credentials, and to use those credentials – and that far-reaching access – to target an associated institution. For example, if staff at University X receive an email that appears to be from University Y (and is sent from a legitimate, albeit compromised, address), the chances of a successful secondary phish increase dramatically because these are difficult to detect, both through automated security systems and by end-users.
Other vectors for targeting students’ and staff’s computers can be through shared drives, file synchronisations/sharing services, removable media (such as USB thumb drives) and even Trojan apps for mobile devices.
Recent Proofpoint research also revealed that those universities who are not deploying the recommended email authentication protocols are putting prospective students at risk of email fraud. In a study ahead of A-level results day in 2019, we found that almost two-thirds (65%) of the UK’s top 20 universities have no published DMARC (Domain-based Message Authentication, Reporting & Conformance) record, leaving themselves open to cybercriminals impersonating their domain.
Institutions and organisations in all sectors, including universities, should deploy authentication protocols such as DMARC to shore up their email fraud defences.
Andy Jarvis: The sheer amount of connected devices used on a university campus presents a huge attack surface for threat actors to exploit. For example, through techniques such as social engineering, which involves manipulating individuals into sharing their passwords and other confidential information, attackers could assume a trusted identity and target students with a seemingly legitimate email that could contain malicious payloads such as ransomware, which can lock the victim out of their devices until a ransom is paid.
Attack vectors aimed at students are normally designed for financial gain. For example, we notice spikes in criminal cyber-activity when student loans are delivered, often in the form of targeted phishing exercises that manipulate the victim into parting with their money.
Q. What are the greatest threats in terms of research/intellectual property?
JC: Protecting research data is also a high priority, with high-profile state-sponsored cyberattacks reported from North Korea, Iran and Russia. This has been recognised by the National Cybersecurity Centre (NCSC), which this year published guidance for academics and senior leaders on how to protect against potential theft, misuse or exploitation.
AJ: Universities have been targeted by nation-sponsored attacks to access their highly sensitive research material and IP. These attacks can include a combination of network intrusion exercises and physical espionage techniques, so it is crucial for higher education institutes to protect themselves on both fronts.
By monitoring and managing correct Identity Access Management, which ensures that only the appropriate people have access to specific technology resources across an organisation, the risk to key assets can be significantly mitigated.
Q. How regularly should universities be reviewing their cyber protection? And what services/programmes should universities prioritise here?
JC: Cybersecurity isn’t just a one-time activity and isn’t just the responsibility of a single person or department. Accountability for managing cyber-risk should be taken at the highest governance level of an institution. A review of cyber-risk and resilience, using the NCSC Board toolkit or assessing the organisation to BS31111 [the 2018 British Standard for cybersecurity], can help boards to understand the changing risks they face, and to show stakeholders and regulators the steps they are taking to mitigate these.
The Jisc survey also showed that, over the past year, there has been a huge increase in the number of universities achieving Cyber Essentials certification, with almost half having achieved certification by demonstrating a set of baseline technical controls.
AC: Threats are constantly evolving, so cybersecurity best practices need to be regularly revisited to keep pace across all industries.
As cybercriminals increasingly target people – recent Proofpoint research shows that more than 99% of cyber-attacks require human interaction to succeed – universities must ensure that both staff and students are aware of basic cybersecurity hygiene, at the very least.
For students and universities, training around email security is important. Ultimately, though, one of the best means of protection is to follow best practices for applying patches and disabling risky services. Ensuring that your most frequently targeted applications are patched can reduce the risk that clicking on a malicious link or attachment might have catastrophic consequences.
As new students are brought in and new faculty members join the team, everyone should undergo security awareness training to better detect any suspicious activity.
AJ: Universities should review their cyber-resilience at least once a year. Ideally, an audit carried out by an independent third party should establish an institution’s current cybersecurity efficacy and identify the measures required to enhance overall cyber-resilience. Following the audit, universities should formally establish roles and responsibilities throughout the organisation and set targets to monitor progress.
Specific training services and programmes, meanwhile, should be prioritised according to their potential importance in the event of a breach. These typically include security awareness training focused on physical identity checks and detection of malicious emails, and on the agility and effectiveness with which an organisation can respond to an incident.
There is no substitute for appointing a dedicated in-house cybersecurity specialist, and we are encouraged to witness an increase in the recruitment of Chief Information Security Officers across the private and public sectors. Such individuals can focus and communicate cybersecurity strategies across the institution and help senior executives and governing bodies to engage with ongoing reviews.
Q. What role can the private sector play in helping to support universities with cybersecurity?
JC: Our survey showed that testing of defences using third-party services is now commonplace, with 82% of HE institutions using outside contractors. Jisc’s penetration testers have been engaged by more than 50 institutions in the past year to help assess their cybersecurity. This could include identifying vulnerabilities in a network, testing the security of a new system or application before it is deployed, or forming part of post-incident remediation work. Working with a trusted partner is also a good way for universities to benefit from specialist skills and to take advantage of economies of scale.
AC: As with all industries, universities do call on external cybersecurity experts to help them become cyber-resilient. However, recent research shows that universities are increasingly onboarding their own cybersecurity staff, with nearly three-quarters of higher educational providers having now recruited staff dedicated for cybersecurity roles and 66% of providers having appointed a strategic cybersecurity lead.
The UK government also takes an active role in supporting universities with cybersecurity. For example, the National Cybersecurity Centre encourages UK organisations to shore up against the most common cyberthreats by gaining its Cyber Essentials certification. In fact, the NCSC saw the amount of universities achieving this certification treble last year.
AJ: Historically, higher education institutions have been slow to use third-parties when building and implementing a cybersecurity strategy, and we are often engaged by them in a reactive capacity once an incident has occurred.
However, as the threat landscape has become more sophisticated, it has become impossible for universities to effectively manage their IT security in-house. Universities often use large, flat networks, which are typically inexpensive to build and easy to maintain. However, by infiltrating one host on a flat network, attackers can easily access and compromise the rest of the network, which may include key assets.
Managing such networks with a small in-house team can be difficult, especially when they are also tasked with monitoring and managing thousands of students and staff who can present their own risks to a university’s IT estate. Outsourcing for proactive cybersecurity services and expertise is far more effective, from both a commercial and capability perspective.
Private sector businesses, especially in the financial sector, are often heavily regulated to ensure that their customers and employees are not at risk from malicious intent. Through research, innovation and the ability to monitor and manage varied threat landscapes, the private sector harnesses a huge knowledge base that the public sector could learn from in its ongoing cybersecurity strategy development. It is crucial that we facilitate ongoing communication and sharing of information between the two sectors.
Richard Huison: Yes, they are, and rightly so. But, perversely, sometimes some consultants and manufacturers of security equipment, who are expected to provide the solution, may increasingly be part of the problem! The trouble is that hackers can exploit the disparate systems on their networks, often through remote access granted by universities to third parties precisely to manage the risk. In this way, the inevitable need for universities to embrace bring your own device (BYOD) presents perils, too.
To minimise such risks, at Gallagher we insist on compliance with the various global government standards – such as the UK’s Cyber Assurance Products, the US’s FIPS and Australia’s Type 1A – where genuine cyber-resilience will be found.
This way, as the threat landscape evolves, so will the encryption standards built in to resist concerted cyber-attacks. Similarly, it is essential that universities also keep user application software and Windows environments bang up-to-date.
Q. Should universities include cybersecurity as part of their student induction programmes?
AJ: Some level of security awareness training should certainly formulate part of any student induction programme. This could be in the form of an online module which addresses exploit approaches that the student body could be exposed to, ranging from common phishing attack themes to the importance of proving identity to access facilities.
JC: Staff and students are the first line of defence in a university’s security posture, which is why Jisc advocates compulsory security awareness training for all. It’s a good idea for this to begin at induction, but it needs to continue as cyberthreats, and the advice on dealing with these, evolve.
We’re pleased that, when it comes to training, the sector has begun moving in the right direction.
Our first cybersecurity posture survey in 2017 showed that 48% of universities had mandatory training in place for some or all staff. This rose to 57% in 2018, and on to an impressive 81% for 2019.
However, it’s concerning that far fewer organisations insist on security training for students. In 2017, 10% of people surveyed in HE told us that they had made this training mandatory for students. In 2018, this figure dropped to only 3%, rising to 8% in 2019.
AC: Students are most vulnerable to cyberthreats, such as phishing, during their onboarding, as they receive a high volume of university-related emails at this time. With this in mind, I believe cybersecurity training should be part of the induction programme – or even before they join the university. Proofpoint recommends students follow these best practice tips:
- check the validity of all email communications, and be aware of potential fraudulent emails
- be cautious of any communication attempts that request log-in credentials or threaten to suspend a service or an account if a link isn’t clicked
- use strong passwords, changing them frequently and never re-using them across multiple accounts.
RH: Yes, they should – it is essential that universities keep user application software and Windows environments bang up to date.
Furthermore, as the direction of travel (quite rightly) is towards access being provided via smartphones with Bluetooth wireless technology, this can be built into student induction even prior to their arrival at university, thus easing the administrative burden on universities at this very busy time.
This negates the need to issue identity cards (and to replace, collect and reprogram these as access rights and privileges inevitably change). The same mobile device can be used across multiple sites, with fast, remote, secure and simple provisioning of each device.
Best cybersecurity can then be achieved via secure two-step enrolment and scheduled two-factor authentication using the Fast ID Online (FIDO) Universal Authentication Framework (UAF) protocol, which allows each user to select their preferred method of secondary authentication – such as their fingerprint.
Q. What’s the best way to galvanise and equip staff and keep them up to date?
JC: Awareness training is useful – and can be extremely engaging. Some organisations focus on the importance of good security not only for work-related activities, but also for personal use. Encouraging the use of multifactor authentication and password managers for home can have more impact, as staff and students may relate better to protecting ‘their’ information – photos, social media accounts, etc. That awareness can then be reflected in how they use university systems, too.
AJ: Regular modular online training and communication is the best way to educate staff across an estate. Regular security awareness training should also be a fundamental part of the organisation’s wider cybersecurity strategy.
Appointing a champion within specific divisions who can be a point of either escalation or education is a good way to galvanise staff – and ensure that regular cybersecurity communication is being fed to the employee base.
Q. In terms of its data security, how does the UK education sector compare with other UK sectors?
JC: The challenges facing the education sector often differ from those facing other sectors, due to the traditional openness of HE institutions, the regular churn of users, and an extremely high use of bring your own device (BYOD).
One of the benefits for the UK education and research sector is that Jisc provides a number of core security services for all universities.
No other industry sector has the advantage of the super-fast and secure Janet Network, and we can also provide a number of sector-wide security controls to help mitigate against incidents such as distributed denial of service (DDoS) attacks, as well as a central resolver service that can help prevent access to known malicious websites.
AC: The education sector remains a hot target for cybercriminals. For example, Proofpoint researchers found that the education sector saw the largest year-on-year increase in email fraud attacks of any industry in 2019. Education is regularly targeted by a range of threat actors for phishing, malware distribution and cloud account compromise. Proofpoint has also seen sophisticated threat groups targeting universities in recent months. For example, TA407 (also known as Silent Librarian) was seen targeting universities in 2019, despite being indicted by the DOJ in early 2018.
Like many educational phishing attacks, campaigns associated with TA407 are typically not geographically targeted, but rather tied to specific universities, with phishing landing pages developed for library and student or faculty access portals. While many of the attacks are directed at schools in the United States, Proofpoint researchers regularly observe campaigns affecting universities primarily in North America and Europe.
AJ: In terms of data security, the UK education sector is far behind more closely regulated private sectors such as finance, investment and retail. We have reached a tipping point where investment in the sector’s cyber resilience is critically needed to prevent further breaches.
Fortunately, the sharing of knowledge and information between sectors has increased – led, often, by research-focused institutions – and the knowledge that we gain from our work with businesses in a variety of sectors is being imparted to our higher education client base.
RH: The most advanced UK industry sectors are those where critical national infrastructure is at risk.
For instance, we work with National Grid, where the cost of a power outage is £1m per minute – so they have to be absolutely sure of their cyber-resilience and that everything they plug onto their network is secure.
That’s a real challenge, in an era where kettles and other household appliances are becoming increasingly wifi-connected, so a hacker switching them all on at the same time could bring down the Grid.
The UK education sector is, however, catching up fast – and is well advanced in using mobile credentials and adapting to a bring your own device environment, given the particular challenges of the itinerant and youthful nature of those they necessarily allow onto their systems.
Gallagher has introduced cyber-resilient systems into Kings College London, the University of Birmingham, and the Saïd Business School at the University of Oxford, among others. Similar systems have gone into universities in Australia, New Zealand, the US and across Asia. After all, the cyberthreat is global and doesn’t recognise international borders!
Q. How quickly is the cybersecurity threat evolving, and what issue(s) do you see over the horizon?
JC: We’ve seen a continual evolution over the last few years. Although the number of incidents handled by Janet CSIRT hasn’t changed a lot from 2018 to 2019 (around 6,000 tickets), a number of them have increased in sophistication, particularly with DDoS attacks and phishing emails. There is no reason to suspect that these won’t continue to evolve.
On a more positive note, there appears to be more cybersecurity awareness among education and research organisations: our survey found that 97% of universities are now using services to gain insight and intelligence about current or emerging threats. We are also noticing a lot of interest in managed security services as a way for institutions to help mitigate attacks.
AC: The cybersecurity threat shows no sign of slowing down. Notably, email will remain the initial threat vector of choice for most cybercriminals, driving more phishing campaigns and targeted attacks to gain a foothold in an organisation and/or access sensitive information. In line with this, threat actors will continue to rely on human vulnerability (students, staff, contractors) for their attacks to succeed.
Educational institutions will also remain prime targets due to their high student and staff populations and turnover, coupled with ongoing independent research and the culture of openness and information sharing. Cybercriminals will continue to capitalise on these conditions, targeting both students and staff to gain access to credentials and vast stores of sensitive data available in student information systems. It is vital that educational institutions make security awareness training and people-centric cybersecurity solutions a priority.
AJ: The threat landscape is rapidly evolving and, for HE institutions, their research and their students, the risk and impact can be huge. As we continue to become a more connected society, the challenges faced by HE institutions will grow, and their ability to manage these challenges in-house will decrease.
Human error and insider misuse will remain the key issues for universities in the near future.
RH: The attack that brought Travelex to its knees at the start of this year shows how quickly the threat is evolving. And don’t think that, because they are a financial institution, a similar attack wouldn’t happen to a university. Remember the WannaCry ransomware attack two years ago that affected 230,000 computers in over 150 countries in just one day? Among the ‘victims’ were the Université de Montréal and our National Health Service!
We insist on compliance with the various global government standards – such as the UK’s Cyber Assurance Products, the US’s FIPS and Australia’s Type 1A – where genuine cyber-resilience will be found. This way, as the threat landscape evolves, so will the encryption standards to resist concerted cyberattacks. It is essential, also, that you keep application software and your Windows environment bang up to date, for the same reason.
Jisc annual cybersecurity survey
National Cyber Security Centre (NCSC) guidance
Cyber Essentials certification scheme
Proofpoint research: students at risk of email fraud
Jisc research: phishing and social engineering still top threats
Universities strengthening their cybersecurity
Proofpoint threat case study: Silent Librarian
You might also like: Cybersecurity in higher education