The UK’s Universities Are Under Attack: Here’s How They Respond

The UK’s universities are being assailed from all sides. A report last year revealed that dozens of institutions had accepted at least £122m-156m from Chinese sources over the previous six years. The problem? Around a fifth of these donations came from entities sanctioned by the US for ties to the Chinese military. The revelations highlight the cutting-edge research many universities undertake, and its strategic importance to certain governments.

Ever-alert to the threat, MI5 recently briefed vice-chancellors from 24 leading universities on persistent state-backed efforts to obtain intellectual property. But it’s not just nation states they need to defend against. The threat from financially motivated cyber-criminals also looms large.

Hard to Defend

The higher education (HE) sector makes an often-undervalued contribution to the national economy. According to the latest figures, universities and other HE providers account for £71bn annually in gross value added (GVA) and £130 billion in general economic output. That alone is reason to protect it from nation state and cybercrime groups.

“Cyber offers a deniable route to obtain information that is otherwise unavailable to them,” the National Cyber Security Centre (NCSC) says of state-backed operatives. “It is likely exploited instead of, or in conjunction with, traditional routes to gain access to research, such as partnering, ‘seconded students’, or direct investment.”

Yet HE institutions have to contend with multiple challenges in their efforts to improve cyber-resilience. For one thing, most have large numbers of staff and students using their networks. That makes phishing a popular method of obtaining network access credentials and personally identifiable information (PII). It doesn’t help that – although 84% of universities enforce information security training for staff – only 5% make it compulsory for students.

Universities must also manage risk across a potentially large and complex IT network topology. According to the NCSC, many university networks contain “a collection of smaller, private networks, providing close-knit services for faculties, laboratories and other functions”. This can make consistently enforcing security policy more challenging. It’s a compounded by potential risk at the distributed edge – including home workers and remote students.

“The nature of academic research thrives on collaboration and the open exchange of information. This necessitates open access to networks and resources, making it difficult to implement overly restrictive security measures. Striking a balance between openness and robust security is a constant struggle,” Axians UK CTO, Chris Gilmour, tells ISMS.online.

“This is only compounded by students and staff using personal devices – laptops, smartphones, where universities have to find a balance between BYOD and enabling access to key resources whilst still maintaining a suitable security posture overall. These unmanaged devices, if not properly secured, can introduce vulnerabilities and act as potential entry points for cyber-attacks.”

Finally, HE providers face “long-term, systemic, pressures on their financial sustainability and viability”, according to a 2022 Public Accounts Committee report. A continued tuition fee cap and shorter-term factors like rising energy and borrowing costs and inflation, have made budgeting more challenging. That can have a knock-on impact on cybersecurity budgets, whilst amplifying the damage resulting from security breaches. Aside from any direct costs, universities must also consider the potential impact of a serious breach on reputation in the eyes of prospective students.

The Threat Is Real

When states can’t get what they want by making large ‘altruistic’ donations to HE institutions, they fall back on traditional cyber-espionage. Meanwhile, cybercrime groups increasingly target staff and student PII and exposed systems via ransomware. According to university IT partner Jisc, ransomware is viewed as the number one cyber-threat to the sector, followed by social engineering/phishing and unpatched vulnerabilities. The non-profit claims 97% of HE providers now include cyber on their risk register, and 87% regularly report on cyber risk to their executive board. But that doesn’t make the challenge simply go away.

In fact, it is more pronounced than ever. A government report from April 2023 claims 85% of HE institutions identified breaches or attacks in the previous 12 months, compared to just 32% of businesses.

A devastating breach at Manchester University in 2023 resulted in the compromise of over one million NHS patient records, and stemmed from a phishing attack. In fact, ransomware attacks like this are a common occurrence, and attacks timed to coincide with the critical clearing period – as many are – can have an outsized impact.

The threat from state actors is more subtle but still prevalent. In February 2021, likely state-backed hackers breached the University of Oxford’s Division of Structural Biology, which was working at the time on a COVID-19 vaccine with AstraZeneca. As far back as 2018, Iranian hackers targeted UK universities to steal sensitive research.

Hitting back

Fortunately, even cash-strapped HE institutions can improve their cyber-resilience with some tried-and-tested best practices, according to Gilmour.

“Prioritising staff training in cybersecurity awareness empowers everyone to identify and avoid threats,” he argues. “Implementing open source security tools and leveraging free government resources can plug some security gaps. And encouraging a culture of data minimisation and prioritising critical systems allows them to do more with less.”

Tim Line, head of services at Secure Schools, adds that defence-in-depth is key. Multi-factor authentication, incident response planning, robust backups, endpoint detection (EDR), firewalls and encryption should all be a priority, he tells ISMS.online. The deployment of such controls, and operational best practices including prompt patching, acceptable usage and secure configuration should be outlined in clear policies “that outline expectations and set rules”, Line adds.

“Think about each secure control as a slice of Swiss cheese,” he explains. “One slice has lots of holes and is easily breach-able. Add another slice of security control, and this closes off some of the holes on the first slice, and so on until the risk is reduced to a level that is measured as acceptable.”

Both Line and Gilmour also point to the value of best practice security standards like ISO 27001 and offerings like the NIST Cybersecurity Framework.

“ISO 27001 offers a structured approach to information security management. By implementing its controls, universities can identify and manage cybersecurity risks, develop a culture of security awareness, and establish clear processes for incident response,” says Gimour.

Even more baseline initiatives like Cyber Essentials can be useful in reducing risk, adds Line.

“They will never reduce the risk to zero – just like implementing smoke detectors, fire doors, fire alarms and evacuation procedures doesn’t reduce the risk of experiencing a fire to zero,” he concludes. “It does, however, significantly reduce the risk of occurrence, the fire spreading, and the fire having a significant impact on people and operations.”