The Cyber Threat to the UK’s Universities

July 19, 2024
pile of books with academic mortar board on top


Sachin Bhatt, our regular cybersecurity contributor, highlights the threats to our universities from malicious activity

UK universities are renowned for ground-breaking research and innovation that has changed society and the world. It is sometimes easy to take for granted what they have contributed to the world, from the discovery of penicillin to establishing the first working computer and even DNA fingerprinting. These are just a few in a very long list of discoveries of work made possible by the immense talent and expertise the UK has to offer. It is therefore no small wonder that universities in the UK rank fourth in the world for global innovation and first in Europe for collaborations with industry.

The economic impact the sector has had both in the UK and internationally is staggering. All in all, research and development results in somewhere between £1.96 – £2.34 in private spending for every £1 spent on research. In total, some 96,000 people are employed in businesses spun out of universities who collectively turnover a substantial £13 billion. Furthermore, the contribution made by delivering research to established businesses and organisations is estimated to be above £1.4 billion1 . Many of the outcomes of research and development are commercialised at pace and provide the UK economy with strong footing to compete on a global scale.

It is no wonder then, that the cutting-edge research of UK universities might be a victim of its own success by having a big target on its back. In April this year the Director General of MI5, Ken Mc Callum, jointly addressed leading universities alongside the CEO of the National Cyber Security Centre (NCSC) on the threats they face. Specifically, UK universities are firmly in the crosshairs of foreign nation state threat actors seeking to gain an economic advantage by getting their hands on highly prized research and intellectual property. But it is not just economic wellbeing that is at stake. University research includes technology used for defence and protection of UK assets which, in the hands of foreign powers, could be used to advance their own tactical security measures.

According to the official government National Cyber Security Breach Survey2 , it was much more probable for a wider range of cyber attacks and breaches to be experienced by higher education institutions than businesses. So rampant is the threat they are under, that half of those who participated said resulting breaches occurred on a weekly basis. This shows just how much of a sought-after target universities have become particularly as there is a need to protect intellectual property too, which is often seen as a separate threat factor from to the need to protect against cyber intrusions.

In comparison to UK businesses, higher education institutions and universities were more likely to experience cyber incidents resulting in breach of data or monetary loss as a result of an attack: 61% compared with just 8% of large businesses reporting the same impacts showing just how wide the divide is.
By their very nature, the culture of universities foster a collaborative environment and one built on partnerships with other research institutes and leading experts from around the world. These an open working practices, require a degree of inter connectivity, so the stringent protocols, procedures and necessary due diligence that would otherwise be undertaken in a corporate environment can get overlooked. In the corporate world, commercially sensitive data would not be shared openly, freely and without consideration of geographies and management but the very nature of some cutting edge research demands a wide global community operating on varying networks to share critical data without the same controls always being in place.

The geopolitical lens has changed the threat level universities face and will continue to do. Throughout the UK, there have been an increase in the number of state-sponsored cyber attack emanating from Russia and China as well as other nation states seeking to gain an advantage in everything from research on new materials to energy and even agricultural advancements. Let’s also not forget that state backed criminal groups continue to utilise ransomware services as part of a criminal enterprise operations to financial gain from both the universities attacked and by selling data acquired thus providing them with two potential revenue streams.

So, what are the most prevalent types of cyber attack vectors and where should universities be focusing their defensive efforts?

It should perhaps come as no surprise that the most prevalent form of attack is phishing coupled with impersonation of individuals, the institutions and other interested parties. Identifying key individuals and groups associated with particular disciplines is all too easy from both academic and personal online sources. Preventing the enormous volume of emails on university networks is a difficult undertaking from both an institutional level and that of JISC (the not-for-profit service which maintains the UK’s education networks).

Phishing is the foundation for the vast majority of cyber attacks on universities, be they data breaches or malware infections. Defending against these is simple in theory but the practice can be difficult. The focus should be on awareness for users and implementing access controls to limit access to the most sensitive research data. Furthermore, to ensure the UK remains at the forefront of research, leading in the world of innovation and contributing to the economy, universities should consider investing in cyber security specialists to help protect and negate the e impact and reputation. An ounce of prevention will really be worth a pound of cure for any university that suffers a data breach where any resulting fine could have been money better spent on advancing research.

Sachin Bhatt, Technical Director of CyXcel. He previously served as an incident management lead in CERT-UK and the UK’s National Cyber Security Centre complemented by over a decade long career in government.
  1. Impacts (universitiesuk.ac.uk) ↩︎
  2. Cyber security breaches survey 2023: education institutions annex – GOV.UK (www.gov.uk) ↩︎