The assessment highlights the risks associated with state-sponsored espionage, as well as the financial losses incurred by universities from cyber criminals. The report aims to raise awareness of the cyber threats facing universities, and is intended to be read by senior leaders, members of university councils and those engaged in research.
The NCSC report highlights two areas of risk:
- State-sponsored espionage targeting higher value research
- Financial losses arising from the actions of cyber-criminals, who are seeking financial gain through fraud, or to monetise stolen material through sale or ransom.
Of the two risks highlighted, NCSC suggest state-sponsored espionage is likely to cause the greater long-term damage. The likely effects of state espionage include “damage to the UK’s knowledge advantage.”
The NCSC report includes several examples of cyber-crime, including the use of ransomware, which locks systems and data until a ransom has been paid, and the use of spoofed or compromised emails accounts to impersonate a university partner or supplier.
Why attacks are successful
The nature of universities, and not least their culture that is typically open and outward-looking, increases the risk that attackers can find a way to penetrate a university’s systems and processes.
Defending against attacks
The NCSC identify three areas to which universities should give specific attention:
- People first
- Access and authentication
- Network design
The methods adopted for cyber-attacks can be expected to continue to evolve. The damage to a university of a successful attack may be reputational or involve final loss. The latter include costs levied on an institution as result of breaches in data protection legislation.
The implications of a failure of cyber security suggest it is not an area which institutions, and governors, can be complacent.
Governing bodies should regularly seek assurance from senior management that the institution has adopted appropriate measures to minimise the risk of a cyber-attack being successful, and receive reports on attempted attacks, as well as those which have penetrated the institution’s security.
The Cyber Security Toolkit for Boards is a resource designed to encourage essential cyber security discussions between the Board and their technical experts.