The UK is famous for the quality of its universities, which attract undergraduates, postgraduates and academics from around the world. It would appear, however, that when it comes to IT security, some of the staff at these institutions may not be as well-informed as you might hope given their place of employment. At least, that’s the conclusion of a survey undertaken by Jisc (previously known as the Joint Information Systems Committee).
According to Jisc, it achieved a “100 per cent track record” of obtaining access to “high-value data within two hours” when it undertook a penetration test of 50 British universities. Its success did not come about as a result of developing sophisticated attack strategies, which proved impossible for even academics to combat, but by the low-tech, old-school approach of “spear phishing” administrative staff.
Kaspersky defines spear phishing as follows:
“Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.”
So this is not a matter of blasting suspicious emails with infected attachments to hundreds of email addresses. Instead, individual admin staff are targeted and, according to this study, are failing to recognise the attack and take appropriate precautions.
The results of Jisc’s survey probably did not come as much of a surprise to actual IT staff in the education sector, whom Jisc surveyed in 2018, at which point many of them raised concerns that the educational institutions for which they worked had serious weaknesses in their digital defences. When asked what they believed to be the source of the problem, IT staff reported not just lack of resources (both in terms of staff and in terms of budget), which, to be fair, are both very widespread concerns amongst public-sector organisations in general, but also a lack of appropriate policies, which points to failures on the part of senior staff.
Although it may be tempting to see the lack of clear and meaningful policy direction as a sign that senior-level staff are not taking IT security seriously enough, it’s only fair to point out that they too will be working under resource constraints. This means that, while they may well be aware of the importance of having solid IT security, they are very probably faced with many other competing priorities.
It is also only fair to note that the complexity of ensuring data security in an educational environment was highlighted in the run-up to the implementation of GDPR and yet the concerns raised did not appear to generate any sort of meaningful response from either central government or local authorities, who, for the most part, were focusing on saving money wherever they could rather than investing it to help the education sector to improve its data security.
While government intervention could be one solution to this issue, economic realities suggest that it is highly unlikely to be forthcoming any time soon. Therefore, the ball is very much back in the court of IT professionals in the education sector to come up with solutions. The good news is that solutions do not need to be either expensive or time-consuming to be effective. Given that the point of weakness appears to be time-pressed administrative staff, one potential option would be to provide “infographicstyle” support documentation that they could reference quickly and easily while under the pressure of a live call. This may not be the panacea for all GDPR-related ills, but it may be enough to create meaningful improvement for this specific realm of data breaches.