universities Archives - Security IT Summit | Forum Events Ltd
Posts Tagged :


UK university students at risk from email scams, says report

960 640 Stuart O'Brien

Research has found that none of the UK’s top 10 universities actively block fraudulent emails from reaching recipients.

Proofpoint has released data identifying that 97% of the top universities in the United Kingdom, the United States and Australia are lagging on basic cybersecurity measures, subjecting students, staff and stakeholders to higher risk of email-based impersonation attacks.

The research found that 97% of the top ten universities[1] across each country are not taking appropriate measures to proactively block attackers from spoofing their email domains, increasing the risk of email fraud. This figure rose to 100% amongst the top 10 UK universities, with none actively blocking fraudulent emails from reaching recipients.

These findings are based on Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the top ten universities in each country. DMARC[2] is an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender’s identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine and reject,[3] with reject being the most secure for preventing suspicious emails from reaching the inbox.

With a record 320,000 UK sixth-formers applying for higher education places this summer, students will be eagerly awaiting email correspondence regarding their applications when A Level results are announced on the 18th of August. The uncertainty and unfamiliarity with the process, as well as the increase in email communication provides a perfect storm for cybercriminals to trick students with fraudulent phishing emails.

“Higher education institutions are highly attractive targets for cybercriminals as they hold masses of sensitive personal and financial data. The COVID-19 pandemic caused a rapid shift to remote learning which led to heightened cybersecurity challenges for educationinstitutions opening them up to significant risks from malicious email-based cyber-attacks, such as phishing,” says Adenike Cosgrove, Cybersecurity Strategist at Proofpoint. “Email remains the most common vector for security compromises across all industries. In recent years, the frequency, sophistication, and cost of cyber attacks against universities have increased. It is the combination of these factors that make it especially concerning that none of UK top ten universities is fully DMARC compliant.”

Key findings from the research include:

  • None of the UK’s top 10 universities have implemented the recommended and strictest level of protection (reject), which actively blocks fraudulent emails from reaching their intended targets, meaning all are leaving students open to email fraud.
  • Whilst 80% have taken the initial steps by publishing a DMARC record, the majority (75%) only have a monitoring policy in place for spoofed emails. This policy freely allows potentially malicious spoofed emails into the recipient’s inbox.
  • 2 out of the 10 top UK universities (20%) do not publish any level of DMARC record.

The World Economic Forum reports that 95% of cybersecurity issues are traced to human error, yet according to Proofpoint’s recent Voice of the CISO report, Chief Information Security Officers (CISOs) in the education sector underestimate these threats, with only 47% believing users to be their organisation’s most significant risk. Concerningly, education sector CISOs also felt the least backed by their organisation, compared to all other industries.

With the shift to remote (and more recently, hybrid) learning, Proofpoint experts anticipate that the threat to universities will continue to increase. The lack of protection against email fraud is commonplace across the education sector, exposing countless parties to impostor emails, also referred to as business email compromise (BEC).

BECs are a form of social engineering designed to trick victims into thinking they have received a legitimate email from an organisation or institution. Cybercriminals use this technique to extract personal information from students and staff by using luring techniques and disguising emails as messages from the university IT department, administration, or a campus group, often directing users to fake landing pages to harvest credentials.

“Email authentication protocols like DMARC are the best way to shore up email fraud defences and protect students, staff, and alumni from malicious attacks. As holders of vast amounts of sensitive and critical data, we advise universities across the UK to ensure that they have the strictest level of DMARC protocol in place to protect those within their networks.

“People are a critical line of defence against email fraud but their actions remain one of the biggest vulnerabilities for organisations. DMARC remains the only technology capable of not only defending against but eliminating domain spoofing or the risk of being impersonated. When fully compliant with DMARC, a malicious email can’t reach your inbox, removing the risk of human interference,” concluded Cosgrove.

Best practice for students, staff and other stakeholders:

  • Check the validity of all email communication and be aware of potentially fraudulent emails impersonating education bodies.
  • Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
  • Follow best practices when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts.

This analysis was conducted in May 2022 using data from QS Top Universities.

50% of UK universities have reported data breaches in last 12 months

960 640 Stuart O'Brien

More than half of UK universities reported a data breach to the ICO in the last year, while 46% of all university staff received no security training and almost a quarter of institutions (24%) did not commission a penetration test from a third party. 

That’s according to research conducted by Redscan on the state of cyber security in the higher education sector, based on an analysis of Freedom of Information requests.

The National Cyber Security Centre (NCSC) itself says universities are targeted by criminals seeking financial gain, as well as by nation state attackers looking to steal intellectual property. The Redscan report underscores the degree to which universities are an attractive target. It also raises concerns that many may not be doing enough to defend against the latest threats, particularly at a time when institutions are embracing remote teaching en masse and conducting world-changing research in relation to COVID-19. 

Defending against an incessant stream of phishing attacks remains a challenge of all universities, says Redscan. Several institutions reported receiving millions of spam/phishing emails each year, with one reporting a high of 130 million. Phishing attempts were described as being “endless” and one university disclosed that attacks had increased by 50% since 2019. 

Other key findings from the report include:

  • 54% of universities reported a data breach to the ICO in the last 12 months
  • A quarter of universities haven’t commissioned a pen test from an external provider in the last year
  • 46% of all university staff in the UK received no security training in the last year. One top Russell Group university has trained only 12% of its staff
  • Universities spend an average of £7,529 per year on security training, with expenditure ranging from £0 to £49,000
  • Universities employ, on average, three qualified cyber security professionals
  • 51% of universities are proactive in providing security training and information to students
  • 12% of universities do not offer any kind of security guidance, support or training at all to students
  • 66 out of 134 universities have Cyber Essentials or Cyber Essential Plus certification

Redscan CTO, Mark Nicholls, said: “UK universities are among the most well-respected learning and research centres globally, yet our analysis highlights inconsistencies in the approach institutions are taking to protect their staff, students and intellectual property against the latest cyber threats. 

“The fact that such a large number of universities don’t deliver cyber security training to staff and students, nor commission independent penetration testing, is concerning. These are foundational elements of every security program and key to helping prevent data breaches. 

“Even at this time of intense budgetary pressure, institutions need to ensure that their cyber security teams receive the support they need to defend against sophisticated adversaries. Breaches have the potential to seriously impact organisations’ reputation and funding.” 

“The threat posed to universities by nation state attackers makes the need for improvements even more critical. The cost of failing to protect scientific research is immeasurable.”