Cybersecurity and compliance company Proofpoint Inc has released new research which suggests that 97% of top universities globally are lagging on basic cybersecurity measures.
This means that they are potentially subjecting students, staff and stakeholders to a higher risk of email-based impersonation attacks.
Educational institutes are particularly vulnerable to impostor emails referred to as business email compromise (BEC).
BECs are a form of social engineering designed to trick victims into thinking they have received a legitimate email from an organisation or institution.
Cybercriminals use this technique to extract personal information from students and staff by disguising emails as messages from the university IT department or a campus group, often directing users to fake landing pages to harvest credentials.
The findings are based on Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the top 10 universities in the UK, USA and Australia.
DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals.
It authenticates the sender’s identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.
Lack of ‘adequate’ cybersecurity controls
Ahead of A-level results day on 18 August, Proofpoint has also found that none of the UK’s top 10 universities has put in place adequate cybersecurity controls to actively block fraudulent emails from reaching recipients.
With a record 320,000 UK sixth-formers applying for higher education places this summer, the increase in email communication could provide an opportunity for cybercriminals to trick students with fraudulent phishing emails.
Adenike Cosgrove, cybersecurity strategist at Proofpoint said: “Higher education institutions are highly attractive targets for cybercriminals as they hold masses of sensitive personal and financial data.
“Email remains the most common vector for security compromises across all industries. In recent years, the frequency, sophistication, and cost of cyber-attacks against universities have increased.
“It is the combination of these factors that make it especially concerning that none of the UK’s top 10 universities is fully DMARC compliant.”