Over Half of Universities Report Data Breach in the Last Year

A survey has found that 54% of UK universities reported a data breach to the ICO (Information Commissioner’s Office) in the past 12 months.

Of the 86 universities that responded to a Freedom of Information request from security firm Redscan, the majority admitted serious shortcomings in their ability to prevent data breaches.

According to the study, 46% of university staff haven’t received staff awareness training in the past year, and universities spend just £7,529 a year on average educating their employees.

Redscan found a similar lack of investment in training for students. Only 51% of universities proactively provide security training to students – although a further 37% said they provided resources to students who requested it.

However, that still leaves 54% of staff and 12% of students who are getting no guidance or support managing cyber security threats.

The lack of investment in staff awareness training is particularly dangerous when you consider the amount of sensitive data that universities hold.

Many UK universities conduct world-leading research, which makes them an attractive target for financially motivated cyber criminals and state-sponsored hackers looking to steal intellectual property.

Earlier this year, there were reports of criminals targeting universities trying to steal coronavirus research.

That shouldn’t come as a surprise, because experts have been warning about attacks on universities for years.

For example, after more than 50 universities in the UK were breached as part of a security test conducted by Jisc last year, John Chapman, the head of Jisc’s security operations centre, warned that the vulnerabilities in universities’ defences could be a sign of an impending “disastrous data breach or network outage”.

He added: “We are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment.

“Cyber attacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat.”

Both that test and the Redscan report found that the most dangerous attack method was phishing.

Universities received millions of phishing emails last year, with one institution claiming that it had detected as many as 130 million and another saying that the number of attacks had increased by 50% since 2019.

How else can you prevent attacks?

Redscan’s report also notes the importance of regular penetration testing. This is a controlled form of hacking in which security professionals act on your behalf to find and test weaknesses that criminals could exploit.

The researchers note that testing is especially important for universities, because they have large IT infrastructures, many users and a lot of specialist equipment.

However, 27% of universities said they hadn’t conducted a penetration test in the past year, and only 29% performed more than one.

Mark Nicholls, Redscan’s chief technology officer, expressed his surprise, adding that “universities hold a lot of sensitive data and without regular security testing it’s impossible to know whether existing controls in place are effective at protecting it.

“Penetration testing ensures universities can better understand and mitigate the threats to their security and demonstrate compliance with the GDPR [General Data Protection Regulation] and PCI DSS [Payment Card Industry Data Security Standard].”

Affordable cyber security

It’s not just universities that need to be concerned. Educational institutions in general struggle to implement the necessary security controls, given the breadth of their IT systems, tight budgets and large volume of staff and students.

Indeed, many schools simply don’t have the resources to commit to data protection.

However, with the help of our sister company GDPR.co.uk, effective security can be a lot more affordable than you might think.

Its dedicated GDPR for schools service helps you streamline your essential compliance practices, including data breach notifications, staff training and documentation.