Like organisations across all sectors, many colleges will have suffered a cyberattack in recent years - and those that haven’t should expect to be a target at some point. It’s a case of when, not if.
The scale of impact from an attack will depend on the strength of defences. Building that necessary robustness is best tackled at board level, with strategic investment in stringent technical controls, expertise and security awareness training for all users.
Fortunately, Jisc’s 2020 cybersecurity posture survey shows an improving picture across the sector. For example, the vast majority of further education respondents (87 per cent) indicate that cybersecurity is a priority within their organisation, and more are gaining security certifications, which will help protect against common threats.
More: College cyberattacks on the rise
Background: Colleges ‘over-estimating’ cyberattack readiness
News: Jisc launches three-year digital plan for FE and skills
Security in colleges has tended to be carried out by IT staff wearing multiple hats, so it is encouraging to see the growth in providers with dedicated security staff, up from just 3 per cent in 2017 to 28 per cent this year.
Particularly impressive is that about 80 per cent of colleges provide mandatory security awareness training for staff and 30 per cent also insist that learners take a course. Alongside solutions including multi-factor authentication, this is important because human error - such as falling victim to phishing scams - is a common factor in cyberattacks. Indeed, the posture survey shows that colleges consider phishing/social engineering to be the top threat, with ransomware/malware ranked second.
So, while it’s clear the sector is taking positive steps forward to boost security, it’s a continual process and there’s no room for complacency.
Impact of attacks
During August 2020, there was a spate of ransomware attacks against colleges and universities - seven that Jisc is aware of - leading to the NCSC issuing an alert for academia. Such attacks can be catastrophic, especially if occurring at key times in the academic year.
One provider suffered an attack on results day in August 2020, resulting in the loss of IT infrastructure, email and the student portal. While personal data was not affected, the attack significantly disrupted enrolment and results had to be shared via personal email addresses.
The scale of the fallout from such an attack is difficult to measure, however, because the effects are so wide-ranging. For example, recovery might take up hundreds of extra staff hours and cost tens of thousands implementing new technical controls, causing stress and disruption for staff and students alike.
For the first time, a new report commissioned by Jisc assesses the impact on staff resource, students, reputation and budget. Intended as a means of strengthening understanding of cyber-risk and promoting internal discussion at the top level, the report also offers advice on how to improve defences and shorten recovery times.
Using information from the posture survey and interviews with 12 universities and four FE providers affected by cyberattacks, the report is set against a background of increasing threats.
The scale of the threat
Over the past few years, Jisc’s computer security incident response team has handled between 5,000 and 6,000 incidents and queries a year.
We are noticing the variety of attack methods is expanding across the sector, with state-sponsored actors, criminal gangs, disgruntled students and opportunists all proving to be problematic.
Attackers are acting smarter, too, conducting reconnaissance that can lead to highly refined crimes reflecting staff structure, processes and systems, giving them a better chance of success. Colleges that publish staff organograms on their websites, for example, should carefully consider the risks.
Criminal objectives include scamming individuals for money, accessing systems to defraud payroll, demanding ransom payments, identity theft, disruptive activity, and attacks designed to extract high-value research and intellectual property.
Effects of Covid-19
Because of the shift to remote learning and working, data is increasingly held on devices outside campuses and protecting that information, wherever it exists, has extended existing security challenges and staff workload. For example, posture survey data indicates projects to introduce multi-factor authentication, and virtual private network rollouts have been brought forward.
The type of attacks has changed since March, too: cybercriminals are flexible and respond quickly to exploit social or economic factors, including Covid-19, and there are many instances of phishing scams taking advantage of the fear around the virus.
Financial impact
Responses to the posture survey show that colleges estimate that attacks over the last year have cost less than £100,000, with most under £50,000. More than a third (35 per cent) indicate no cost, but we suspect the actual cost is simply not being captured.
One college that helped with our research describes losing £10,000 from payroll via a fraudulent email sent to a vice principal. Another experienced a phishing campaign that affected 40 accounts, leading to recovery costs of £30,000 over 12 months.
The targeting of finance teams and senior staff is commonplace and regularly successful. While money might be recovered, the effort is significant, and the loss of data can attract hefty fines from the Information Commissioner’s Office (ICO); a six-figure fine has already been imposed on one education provider.
While staff time is recorded in the survey as the biggest reported impact of cyberattacks for colleges, feedback also suggests that the work of IT and other staff to recover is not measured. It can certainly be very costly, especially if external specialists are brought in, with daily costs upwards of £1,200.
Reputational damage
Although the media is endlessly interested in cyberattacks, there is little evidence of significant reputation impact on our sector to date. Perhaps there is more sympathy for educational organisations that fall victim to cybercrime than might be expressed for commercial companies, particularly global giants.
One college has been praised by a third party for the way it responded and recovered within five days from a devastating ransomware attack early this year. Patience and understanding may have waned if the impact had extended longer, or the attack had occurred at a critical calendar moment.
Reducing risk
To help minimise the impact, the report brings together a comprehensive set of advice to help colleges build robust defences. This covers technical controls, certificates, leadership and board-level engagement, and awareness training.
Steve Kennett is director of e-infrastructure at Jisc
