Skip to main content

Governance news: First threat assessment for universities produced by NCSC

19 Sep 2019 | David Williams The National Cyber Security Centre (NCSC) has produced a threat assessment aimed at universities.

NCSC has issued its first threat assessment of the risk of cyber-attacks facing the university sector in a new report titled The cyber threat to Universities.

The assessment highlights the risks associated with state-sponsored espionage, as well as the financial losses incurred by universities from cyber criminals. The report aims to raise awareness of the cyber threats facing universities, and is intended to be read by senior leaders, members of university councils and those engaged in research.

The NCSC report highlights two areas of risk:

  • State-sponsored espionage targeting higher value research
  • Financial losses arising from the actions of cyber-criminals, who are seeking financial gain through fraud, or to monetise stolen material through sale or ransom.

State-sponsored espionage

Of the two risks highlighted, NCSC suggest state-sponsored espionage is likely to cause the greater long-term damage. The likely effects of state espionage include “damage to the UK’s knowledge advantage.”

Cyber crime

The NCSC report includes several examples of cyber-crime, including the use of ransomware, which locks systems and data until a ransom has been paid, and the use of spoofed or compromised emails accounts to impersonate a university partner or supplier.

Why attacks are successful

The nature of universities, and not least their culture that is typically open and outward-looking, increases the risk that attackers can find a way to penetrate a university’s systems and processes.

Defending against attacks

The NCSC identify three areas to which universities should give specific attention:

  • People first
  • Access and authentication
  • Network design


The methods adopted for cyber-attacks can be expected to continue to evolve. The damage to a university of a successful attack may be reputational or involve final loss. The latter include costs levied on an institution as result of breaches in data protection legislation.

The implications of a failure of cyber security suggest it is not an area which institutions, and governors, can be complacent.

Governing bodies should regularly seek assurance from senior management that the institution has adopted appropriate measures to minimise the risk of a cyber-attack being successful, and receive reports on attempted attacks, as well as those which have penetrated the institution’s security.

The Cyber Security Toolkit for Boards is a resource designed to encourage essential cyber security discussions between the Board and their technical experts.





Keep up to date - Sign up to Advance HE communications

Our monthly newsletter contains the latest news from Advance HE, updates from around the sector, links to articles sharing knowledge and best practice and information on our services and upcoming events. Don't miss out, sign up to our newsletter now.

Sign up to our enewsletter