News: NCSC release report on Cyber Threat to UK Universities

Statement from Chief Information Security Officer around the new report from the National Cyber Security Centre.

The National Cyber Security Centre (NCSC) have issued a cyber threat assessment for UK Universities:
It highlights the main threat actors (Cyber criminals and State Sponsored groups), and details of their motives and targets
. It also suggests some mitigations.
The following summary details these points and outlines what actions we have underway and/or planned to combat this
The University considered considered these groups in planning activity for the short and medium term
. They also feature in the Info Sec Strategy that we are working to address.

Threat Actors:

Cyber criminals:

It is
likely that cyber-crime presents the most evident threat to the sector. Cyber criminals seek information for financial gain using untargeted attacks, such as ransomware.
Whilst rarer, targeted attacks could result in greater financial loss to the University.
Using spoofed or compromised email accounts for phishing, spear phishing or whaling attacks will continue to be their method of choice
We see this activity on a daily basis, with student account compromise being prevalent

Nation states:

Nation States are almost
targeting Universities for the data and research held.
They seek emails, bulk personal information, technical resources (documentation and standards) and sensitive research
Their motivation is
to seek competitive advantage and access to information and technology that is otherwise inaccessible due to political sanctions
Sophisticated attacks have affected UK universities in the past, with the Mabna Institute in Iran last year attempting to extract research data from e-journal providers by attempting to spoof university websites

Recommended Mitigation.

The report suggests several actions that should
be considered

‘People first’ – first line of defence is our people.

This counters the mistaken position that ‘people are the weakest link’. They are not, and are one of our greatest assets.,
Good security awareness is key.
We are continuing to work on this with efforts to engage
with senior management across the University to help push the message that everyone has a role play in protecting our systems and data
The Information Security Team run regular awareness sessions as part of the Digital Skills initiative and I would encourage you to attend these sessions

Access and authentication.

We are currently examining options to improve this area. We are rolling out a password manager (LastPass) as one step. We are also looking at options for introducing multi-factor authentication.

Network Design.

Through the network replacement project, we will have the option to introduce new security controls
We have also introduced the Data Safe Haven to provide enhanced security controls for research activity involving sensitive data, removing the need for local, uncontrolled data storage
The report confirms that these threats are unlikely to disappear and that the open nature of Universities will continue to present an attractive target