Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

This blog post aims to provide an overview of the state of cyber security in universities and other higher education organisations. Security has been a challenge for a long time at schools, colleges and universities. Aligning ourselves with the glass-half-full attitude, these organisations and institutions have shown good progress with basic security controls. Information security is a prerequisite for various business dealings in the public sector, grant funding and procurement processes.

Life for university students has changed massively during the coronavirus pandemic, as it has for all of us. While some in-person lectures and seminars are still taking place, there has been a big shift to remote learning. This has, perhaps understandably, led to concerns about how well students are engaging with this way of studying. Many universities have sought to address this by turning to remote monitoring tools to track students’ online activities.

In the day and age of COVID-19 we have witnessed a transformation of the way we work. If I were asked before March of 2020 how long it would take to make the progress in digital and security transformation that we as a society have made in the last 9 months, I would have guessed at least 5 years. The rate of adoption in the face of the pandemic has been unprecedented. Nowhere have the changes required to make remote working come on faster than with education.

The number of successful ransomware attacks on the education sector increased 388% in the third quarter of 2020. According to Emsisoft, the education sector reported 31 ransomware incidents in Q3 2020. That’s a 388% increase over the 8 incidents that occurred in the previous quarter. Nine of the 31 ransomware attacks disclosed in the third quarter of the year involved data exfiltration, a tactic which has become common with ransomware gangs over the past year.

As legislation goes, the GDPR could be unique in its insistence that a new professional role, the Data Protection Officer (DPO), be created to ensure its mandates are properly met. But getting a DPO in place is no simple recruitment exercise, and that’s especially true for schools. For starters, people with the requisite mix of abilities and experience to do the job in educational environments are hard to find.

Education is a strictly regulated industry in which robust cybersecurity protection is a must. Data breaches can cost a fortune for schools and universities, since the loss of students’ personal information and other critical data brings reputational damage alongside fines for regulatory non-compliance. In the US in 2019 there were 348 publicly disclosed K-12 school-related cybersecurity incidents — triple the number in 2018.

In March 2020, Redscan sent Freedom of Information (FOI) requests to 134 universities across the UK. The aim was to understand more about the frequency of data breaches in the sector and some of the steps institutions are taking to prevent them. The focus on universities was due to the integral role these organisations play in conducting world-changing research and shaping the skills and knowledge of the workforce. The results of the FOI request are available to download in a short report.

We are now living in an era where kids are growing up with the internet every day. Those of us who are older learned how to be more skeptical of technology, but our children largely aren’t growing up with this same level of skepticism. Today, over 60% of children are using the internet for over forty hours a week. Many of these children are taking cybersecurity for granted because they simply aren’t aware of many of the digital security risks that come with online use.