University data protection policies under scrutiny as report finds threats of cyber attacks

A report published by the Higher Education Policy Institute and conducted by Jisc, a digital infrastructure provider for HE, has emphasised the expanding risks of cyberattacks among UK universities and academic institutions in general. Last year saw an increase (17%) in attacks and breaches from the year before, and the trend is likely to continue. The cyberattacks will not only increase in frequency, but also in sophistication.

It is common knowledge that the higher education sector is expanding massively as more and more young people at home and abroad become students in the UK. On top of this, universities have become increasingly involved in cyber security research, making these institutions ever more desirable targets for, in the report’s words, “organised criminals and some unscrupulous nation states.” According to separate research conducted by VMware, 36% of universities believe that a successful cyberattack on their research data would pose a risk to national security.

The report (titled “How safe is your data? Cyber-security in higher education”) begins by relating a couple of everyday scenarios in academia in which cyberattacks can easily occur. These scenarios include a Distributed Denial of Service (DDoS) attack on a student using a Virtual Learning Environment (VLE); and a ransomware infection affecting a university’s digital infrastructure after a member of staff visits a website containing malicious code.

Threats such as these compound the sector’s somewhat underreported history of data protection challenges (to put it lightly). Thousands of records, many containing special category data (prior to the GDPR, ‘sensitive personal data’), have been breached across a host of institutions throughout 2017 and 2018. A whistle-stop tour of these incidents might include the University of East Anglia’s email scandal in which a spreadsheet containing health records connected to essay extensions was leaked to hundreds of students; the University of Greenwich receiving a £120,000 fine for holding data on an unsecured server; and Oxford and Cambridge research papers being stolen and sold on Farsi language websites.

To understand the extent of vulnerability that the HE sector’s data protection policies and practices have demonstrated, one need only look at Jisc’s penetration tests on an array of institutions’ resilience to ‘spear-phishing,’ an attack in which a specific individual is targeted with requests for information (often an email using the name of a senior member of staff, requesting, for example, gift voucher purchases or the review of an attached document

containing malware). 100% of Jisc’s attempts to use spear-phishing to gain access to data or find cyber vulnerabilities were successful.

Data protection policies come hand in hand with cyber security. Vast amounts of information are stored and used in university research projects, containing data relating not only to students and faculty, but to many external individuals and third parties. Robust data protection policy, including appropriate training for staff and regular risk assessments that analyse cybersecurity penetrability, is vital to reduce the risk of phishing and vulnerability to breaches and hackers.

As the report concludes, “It is imperative that those in higher education continually assess and improve their security capability and for higher education leaders to take the lead in managing cyber risk to protect students, staff and valuable research data from the growing risk of attack.”

Harry Smithson, June 2019