News: NCSC release report on Cyber Threat to UK Universities

Statement from Chief Information Security Officer around the new report from the National Cyber Security Centre.

The National Cyber Security Centre (NCSC) have issued a cyber threat assessment for UK Universities:
 
It highlights the main threat actors (Cyber criminals and State Sponsored groups), and details of their motives and targets. It also suggests some mitigations.
 
The following summary details these points and outlines what actions we have underway and/or planned to combat this.
The University considered considered these groups in planning activity for the short and medium term. They also feature in the Info Sec Strategy that we are working to address.
 

Threat Actors:

Cyber criminals:

It is highly likely that cyber-crime presents the most evident threat to the sector. Cyber criminals seek information for financial gain using untargeted attacks, such as ransomware.
Whilst rarer, targeted attacks could result in greater financial loss to the University.
Using spoofed or compromised email accounts for phishing, spear phishing or whaling attacks will continue to be their method of choice. We see this activity on a daily basis, with student account compromise being prevalent.
 

Nation states:

Nation States are almost certainly targeting Universities for the data and research held. They seek emails, bulk personal information, technical resources (documentation and standards) and sensitive research. Their motivation is primarily to seek competitive advantage and access to information and technology that is otherwise inaccessible due to political sanctions.
Sophisticated attacks have affected UK universities in the past, with the Mabna Institute in Iran last year attempting to extract research data from e-journal providers by attempting to spoof university websites
 

Recommended Mitigation.

The report suggests several actions that should be considered:
 

‘People first’ – first line of defence is our people.

This counters the mistaken position that ‘people are the weakest link’. They are not, and are one of our greatest assets.,
Good security awareness is key. We are continuing to work on this with efforts to engage directly with senior management across the University to help push the message that everyone has a role play in protecting our systems and data.
The Information Security Team run regular awareness sessions as part of the Digital Skills initiative and I would encourage you to attend these sessions.
 

Access and authentication.

We are currently examining options to improve this area. We are rolling out a password manager (LastPass) as one step. We are also looking at options for introducing multi-factor authentication.
 

Network Design.

Through the network replacement project, we will have the option to introduce new security controls.
We have also introduced the Data Safe Haven to provide enhanced security controls for research activity involving sensitive data, removing the need for local, uncontrolled data storage.
 
 
 
The report confirms that these threats are unlikely to disappear and that the open nature of Universities will continue to present an attractive target.