Cyberattacks target UK universities ‘weekly’, survey reveals

Cybersecurity continues to be a problem for UK higher education, with new figures suggesting that the vast majority of institutions suffered attacks in the past year.

A survey of 52 higher education providers conducted by the Department for Science, Innovation and Technology (DSIT) between September and January shows that 44 (85 per cent) identified breaches or attacks within the past 12 months.

Although this figure is down slightly from 92 per cent the year before, DSIT said the small sample size meant the proportion being attacked had not changed much since 2020, when the survey began.

Higher education institutions were more likely to be targeted than any other form of education body, and more than other sectors, with just 32 per cent of UK businesses reporting attacks in the 2023 survey.

Adrian Ellison, associate pro vice-chancellor and chief information officer at the University of West London, said higher education institutions continued to be targets of cybercrime because of their scale and the number of users, and they attracted the attention of state actors looking to target specific research activity.

Further and higher education institutions are also more likely to experience a wider range of attack types, such as impersonation, viruses or other malware, and denial-of-service attacks.

Of the 44 HEIs that identified breaches, half reported experiencing attacks at least weekly.

All reported phishing attacks, 86 per cent suffered impersonation breaches, and 64 per cent faced viruses, spyware or malware.

DSIT said that higher education institutions were “more severely affected” than schools, with 60 per cent of those attacked losing money or data, compared with just 24 per cent of typical businesses.

And 45 per cent reported having compromised accounts used for illicit purposes, which was found to be “a much more substantial problem for universities than for other large organisations”.

Mr Ellison, who is also chair of UCISA, the member-led professional body for digital practitioners within education, said the data showed that HEIs were better prepared, better informed and therefore more aware of the risks than other parts of the education sector.

“As a result, they are better able to monitor and report on potential and/or actual cyberattacks,” he said.

HEIs came out on top for having cybersecurity policies (90 per cent), business continuity plans (85 per cent) and incident response plans (77 per cent).

Mr Ellison said organisations such as UCISA, Jisc and the National Cyber Security Centre had been working in a coordinated and collaborative way to raise awareness and support institutions with practical tools.

“In addition, the sector is renowned for its shared learning, with many CIOs [chief information officers] who have experienced cyberattacks willing to support those needing advice or falling victim,” he added.

Around half of participating providers reported having cybersecurity strategies in place, and some reported difficulty in raising their concerns with senior management.

“One higher education institution interviewee noted that their board had a manual for how to deal with major physical incidents such as fires, floods, bomb threats and pandemics, but this did not cover cyber incidents,” DSIT said.

Another respondent from the sector said that the best way to make board members aware of the danger of cybersecurity attacks was to explain the risks for end users.

The survey also revealed that three-quarters of higher education institutions were negatively affected no matter what, because additional staff were needed to deal with attacks, and new measures were required to prevent it happening again.

patrick.jack@timeshighereducation.com