Industry

Education

Safeguard student and staff data, maintain online learning environments, roll out and secure complex applications, patch key vulnerabilities and secure staff and student identities.

Introduction

Connectivity and digital technology now underpin almost all aspects of running a higher education establishment, be that university, research centre, college, or conservatoire.

In recent months, cyber attacks on higher education providers have resulted in significant disruption to teaching and learning and to business-critical systems, sometimes for long periods of time. This has obvious implications for reputational damage, for the wellbeing of staff and students, and for a provider’s bottom line.

In the race to use technology to enhance learning, improve collaboration, and speed up research and development; the security of networks, data, and people within higher education has become absolutely vital. A robust cybersecurity posture cannot prevent a cyber attack, but it can significantly reduce the risk and minimise the impact, should the worst happen.

Industry Overview

Within the UK, the total number of students in higher education was 2,862,620 in 2021/22, an increase of 4% from the previous year. 80,000 plus staff across both teaching and research were employed during the same period. Most recent figures from the Higher Education Statistics Agency (HESA) report that total income for the sector was £43.9 billion in 2020/2021, a clear proofpoint of the size and importance of this sector for the UK economy.

The UK’s university sector, in particular, is renowned for the quality of its research facilities, driving innovation across many sectors, including healthcare and technology, as well as government-funded programmes of national importance such as nuclear energy and defence. The combination of a sizeable digital infrastructure and its potentially sensitive research data has resulted in universities becoming an attractive target for cybercriminals.

Managing the digital identity of students, staff, and visitors has become a core tenet of cybersecurity within higher education establishments.

Market Trends & Statistics

Half (50%) of higher education institutions participating in the government’s Cybers ecurity Breaches Survey 2023, reported experiencing breaches or attacks at least weekly, with three-quarters (75%) of higher education institutions reporting they were negatively impacted regardless of whether there was a material outcome or not.

A recent report found that the UK’s top 30 universities are up to 50% more likely to have breached credentials than any other institution in the remaining top 100. London universities have breached more credentials than Scotland, Wales and Northern Ireland combined. That same report discovered 2.2 million breached credentials available on the dark web for the top 100 UK institutions, with 57% belonging to the 24 Russell Group universities.

Some of the most high-profile cybersecurity attacks and data breaches affecting the UK’s education sector include:

SpoofedScholars – In 2021, a nation-state cyber espionage group thought to be linked to Iran, also referred to as Charming Kitten, conducted a sophisticated credentials-based attack targeting several universities and academics and compromised a website belonging to the School of Oriental and African Studies (SOAS) at the University of London.

Blackbaud – A cloud computing provider used by thousands of universities around the world, disclosed a data breach in 2020 that compromised a variety of data for more than 100 customers, including unencrypted payment data, login credentials and personal identification numbers. In 2023, the company agreed to pay a settlement of almost $50 million in damages. According to Computer Weekly’s reporting of the incident, UK universities impacted by the breach included: “Aberdeen, Birmingham, Bristol, Brunel, Durham, East Anglia, Exeter, Glasgow, Heriot-Watt, Kent, Leeds, Liverpool, London, Loughborough, Manchester, Northampton, Oxford Brookes, Reading, Robert Gordon, Staffordshire, Strathclyde, Sussex and West London. Multiple Oxbridge colleges and several private schools have also been implicated.”

University of Manchester – In June 2023, the University of Manchester was targeted by a sophisticated ransomware attack. Initially gaining entry via phishing, the attacker took steps to cover their tracks while performing reconnaissance and privilege escalation. Staff and students were contacted by the attacker, who threatened to leak personal data if the university did not acquiesce to demands, and more than a million NHS patient records the university had been using for research were compromised.

Challenges & Opportunities

In March 2021, JISC published its Higher Education Strategy 2021–2024; Powering UK Higher Education. The not-for-profit digital agency that focuses on tertiary education, research, and innovation operates the Janet Network, the UK’s national research and education network (NREN), which provides a high-speed network that links the UK research and education community. The report champions the UK education sector’s digital achievements over the past few years, particularly with its innovative approach to online and blended learning. Like many sectors, organisations providing higher education facilities experienced a rapid shift to remote working during the pandemic, necessitating investment in new digital infrastructure to support distance learning and research.

Jisc highlights the growing global demand for education and the UK’s leadership in transnational education, with almost half a million international students taking up places between 2019 and 2020. As universities and higher education institutions push to better utilise data to deliver enhanced education services to more students in ever-expanding locations, effective digital infrastructure will be a cornerstone of investment for the sector over the coming years.

As the sector grows, so too will the volume and sophistication of cybersecurity threats facing these institutions. By nature, higher education institutions have broad attack surfaces, numerous potential points of entry for threat actors, and large user groups vulnerable to social engineering. The significance of the sector to the UK economy means that mitigation of the risks associated with digital transformation is non-negotiable.

Regulations & Compliance

All educational institutions are subject to a variety of regulations that govern the collection, use and protection of personal information. Compliance with these regulations is crucial for organisations in this sector to maintain trust among their staff and students and to avoid potential legal, financial, and reputational consequences associated with a data breach. Some of the key regulations that apply to the education sector include:

Cyber Essentials is a simple, low-cost government-backed scheme that allows organisations to demonstrate a robust approach to their cybersecurity. By implementing the five Cyber Essentials technical controls, an organisation protects itself against the most common internet-based threats. Going through the preparation and assessment process can ensure valuable information is protected from theft. With two levels of certification—Cyber Essentials and Cyber Essentials Plus—the scheme provides a range of support for all sizes of organisation. With Cyber Essentials, a self-assessment scheme, organisations can minimise common vulnerabilities to basic attacks and provide mitigating steps for some of the most common cybersecurity threats. Cyber Essentials Plus includes hands-on technical verification and provides a more robust framework for developing an organisation’s cybersecurity posture.

The General Data Protection Regulation (GDPR) is a landmark piece of legislation that governs how organisations collect, store and use the personal data of individuals. Enforced by the Information Commissioner’s Office (ICO) in the United Kingdom, fines for non-compliance with GDPR can be significant, ranging up to 4% of an organisation’s turnover or £17.5 million. UK universities have been subject to significant penalties for non-compliance and data breaches.

Looking for cybersecurity peace of mind?

Conclusion

Cybersecurity will be high on every university’s risk register. The nature of the data education institutions hold—from staff and student personal information, to sensitive research information and intellectual property—places these organisations on the most wanted list for most, if not all, cyber threat actors.

Using BlueFort’s standards-based framework of continuous discovery, validation, and control, we are able to help educational organisations navigate the regulatory minefield with simplicity and confidence.

As your trusted cybersecurity partner, BlueFort provides the assurance and expertise to strike a harmonious balance between seemingly conflicting imperatives. We enable you to fortify your defences and foster continual innovation, all while maintaining the essential competitive edge that stems from steadfast security and compliance. Your security, your innovation, and your advantage—we’ve got you covered.

See how BlueFort can help you simplify your cybersecurity

Related Resources

Whitepaper

Use Case

External Attack Surface Management (EASM)

Cyber Threat Intelligence (CTI)

Data Security

Continuous Threat Exposure Management (CTEM)

Optimised SIEM

Cloud Security Posture Management (CSPM)

Zero Trust / IAM

Industries

BlueFort Evolve

Security Assessments

Consulting

Cybersecurity Support

Company

Why Choose BlueFort?

Our Approach

Meet The Team

Careers

Events & Webinars

Content Library

The Modern MFA Capabilities NHS Organisations must prioritise to meet the New NHS England Requirements