A team of ethical hackers recently conducted tests on the cybersecurity defenses of more than 50 universities in the United Kingdom. In each case, it took them less than two hours to gain access to “high-value data”.
This is according to The Higher Education Policy Institute (HEPI) and the non-profit Jisc, which provides digital services to academia in the UK.
Key to the 100-percent success rate of the simulated attacks was spear-phishing, a targeted form of phishing that involves sending a bespoke email to a well-researched prospective victim. These emails, where the sender pretends to be a trusted entity in a bid to convince the victim to open malicious attachments or visit fake websites, worked to breach the network of each participating university.
“Alarmingly, when using spear-phishing as part of its penetration testing service, Jisc has a 100-percent track record of gaining access to a higher education institution’s high-value data within two hours,” reads the report.
In some cases it took the white hats less than an hour to “reach student and staff personal information, override financial systems and access research databases”, said the BBC.
It is no wonder that security experts are concerned. “We are not confident that all UK higher education providers are equipped with the adequate cybersecurity-related knowledge, skills and investment,” said John Chapman, head of Jisc’s Security Operations Centre.
According to the UK’s National Cyber Security Centre (NCSC), most actual attacks that target universities in the country are related to phishing and attempts to gain entry for ransomware and other malware, including with the aim of stealing sensitive research data and intellectual property.
Needless to say, besides the personal information of employees and students, universities hold staggering amounts of highly-valuable and commercially-sensitive research data.