Cyber security in universities: Threats, threat actors and defence

Share on facebook
Share on twitter
Share on linkedin
Share on email
cyber security in universities

Stay up to date

Stay up to date with the latest threat reports, articles & mistakes to avoid.

Simple, yet important content.
No salesy pitches and all that, promise!

This blog post aims to provide an overview of cyber security in universities and other higher education organisations. Security has been a challenge for a long time at schools, colleges and universities. Aligning ourselves with the glass-half-full attitude, these organisations and institutions have shown good progress with basic security controls. 

Information security is a prerequisite for various business dealings in the public sector, grant funding and procurement processes. GDPR has further pushed the boundaries of ensuring the security and privacy of data. Given the type of jobs we do, it is imperative to cite facts with sources to find weaknesses.

What interests attackers to universities?

The following types of data is of most interest to attackers:

  • Databases containing thousands of records on personal and financial information
  • Research and intellectual property (IP)
  • Emails and contact data

Sensitive research is targeted for obvious reasons, it’s value for future or defence purposes. 

A successful Business email compromise (BEC) attack led one American university to lose $1.9 million. This payment was made in response to an invoice from an attacker posing as a construction contractor company. FBI reported $3.5billion in losses in 2019 alone. 

Threat actors targeting Universities

Universities are not just opportunity providers for graduates and careers; they are a great source of research and innovation to the economy. Given the thousands of students who are active citizens and youth of the country, the responsible country responsible for making is highly sought by multiple entities. 

Based on the research and data breach investigations, threat actors targeting universities are mainly organised crime groups and state-sponsored actors. 

Cyber crime

Universities are targeted by cyber crime in two ways:

1. Targeted attacks

These attacks utilise social engineering techniques such as phishing, vishing (voice-based), smishing (text-based) and active attacks on infrastructure. Utilising compromised email accounts have led to an increase in cyber attacks within an institution due to the already established trust. This allows further infiltration into the university networks and systems, allowing easier routes towards sensitive data. Another technique often used in phishing campaigns is spoofed emails that could lead to harvesting sensitive information or even transfer of funds in certain cases. Criminals target universities to steal information that can be further sold or used to commit frauds or monetise in an alternative manner. 

2. Untargeted attacks 

Untargeted attacks involve situations where users were part of a bigger campaign, such as ransomware targeting wider audiences. Ransomware targets vulnerable systems by exploiting specific weaknesses and encrypting user data until a ransom is paid. Ransomware in moderns days is more advanced where the victim contacts are also contacted for ransoms or used as a launchpad to conduct further ransomware attacks. 

In 2020, responses to an FOI request revealed that out of all the responders (105), 33% admitted to ransomware attacks in the past and 45% refused to answer. 

State-sponsored actors

The financial goal isn’t the only goal in cyber attacks. State-sponsored actors target higher education institutions to target data for strategic gains such as innovation or research-related data. State-sponsored espionage is considered long-term damage due to losing the competitive edge in research and topics of national interest. 

Compared to traditional methods, cyber is considered a faster, reliable and easier route towards gaining access to valuable data held by universities. This highlights the importance of user education, secure hardening baselines and cyber security culture change throughout the university environment. 

In this report, a phishing campaign was uncovered where attackers masqueraded as university staff to gain victims trust that would help opening attachments(executing malicious files). Although the conversation took place on LinkedIn, initial conversation is often the ground to gain trust and then move channels by sending a test email or a related way to perform malicious actions via email account. 

Discuss your concerns today

Top threats affecting universities

JISC, a not-for-profit organisation, survey in the education and research sector highlighted the improvement in cyber security measures. Phishing, ransomware/malware and unpatched security vulnerabilities remain the top three threats impacting the sector.


Phishing attacks are the popular form of attack vectors adding to success for cyber criminals. This includes Business email compromise (BEC) attacks, spear-phishing attacks, voice and text-based attacks. The economics of carrying out phishing attacks makes it a cost-effective and highly successful vector for criminals.

Phishing campaigns are set up with automated methods and sent to hundreds of recipients. It’s easy to enumerate information from university websites, student groups and social media-based publicly accessible pages. This list is then used to enumerate more information about targets and fed to phishing campaigns.

Where the targeted approach is required, attackers first establish a credible context needed to convince the recipients. Once it convinces the victim then after establishing initial trust, it asks the victim to act quicker, mostly worked on the urgency, sympathy or to cause fear and doubt. 

Attacks find it lucrative to harvest credentials, steal financial or personal or information for immediate monetary gains because sensitive information is further traded in underground markets. In certain scenarios, this attack chain can also be used to spread malware across the university networks. 


Malware is the silent killer as it does not have any characteristics that alert users immediately. It is designed to stay in the victim’s system for the long term providing access or required information back to the attacker-controlled systems. 

Ransomware is a more targeted approach that aims to compromise systems after phishing or exploiting security vulnerabilities and then encrypting the data. To get back access to your data, the ransom attacker asks for payment. A unique key (known as a decryption key) is provided to release the data after ransom is paid. 

When a person’s email address is hacked, the hackers will likely use it to send more ransom links to other addresses in a person’s contact list. We have covered a detailed topic around malware/ransomware protections and removals. 

Insider Attacks

Insider threats are threats that originate from the inside. These can be caused by current or former employees who have the credentials to assets that hold sensitive data related to business and it’s employees. Insider threats are of three types: unintentional (someone who unintentionally puts networks under fire), negligent (someone who ignored or did not put the education and training into use) and problematic (someone intended to cause harm) insiders.

Based on one survey report by Infoblox, 48% of all participants believed insider threats are the biggest threat to their organisations across the education sector. This is due to the lack of restrictive measures within cyber security in universities and other educational organisations. 

Discuss your concerns today

Defending against attacks

Protecting what you have

User education 

Your employees could be your strongest or weakest link in cybersecurity. It all depends upon your cybersecurity strategy. Ensure that regular user education and training is delivered through different channels to ensure a baseline of knowledge. Ensure that staff do not browse the internet or download any content from servers, or using their administrative privileges on assets not meant for browsing. This will reduce the impact of attacks in case of credential theft. 

Cyber security testing

A proactive cyber security approach demands security testing to input risks based on likelihood and impact into the internal vulnerability management process. This assures customers and supply chains that the organisation is assessing and mitigating cyber risk. 

Multiple tactics, techniques and procedures (TTP) are used during testing to check the effectiveness of an organisations’ defensive controls. Security assessment and testing aim to identify includes techniques to identify weaknesses that, when addressed, help develop and maintain the cyber readiness of an organisation.


Maintaining PCI DSS compliance by education providers adds confidence and positive culture across IT and security teams. Loss of compliance can have repercussions. PCI penetration testing assessments are performed to identify vulnerabilities, assess network segmentation controls and weaknesses around the security controls in action. This validation exercise helps organisations plug gaps and improve security measures in line with the PCI DSS compliance and its 12 requirements

Data Privacy

Data privacy needs no introduction in this day and age. With DPA (Data Protection Act), GDPR, CCPA and many more privacy regulations – data privacy is a critical element for the majority of businesses and organisations. Educational organisations or institutions must adhere to data privacy regulations and protect personal information from cyber attacks. 

Our data privacy assessments are both functional and technical in nature, offering you the broad scope around how information is gathered, processed, stored and transmitted.  

Protecting what you know

Penetration Testing 

Penetration testing is a security assurance aimed at finding and safely exploiting security vulnerabilities in a company’s internal and external networks, applications or systems. By utilising penetration testing services to identify security vulnerabilities, businesses can determine the extent to which their assets (people, process and technology) are exploitable and can then take the necessary steps to reduce the risk. 

This type of security testing, also known as ethical hacking or VAPT, is more about the focussed approach to identify and demonstrate exploitation as an attacker would do in real-world situations. 

The most common security vulnerabilities linked with a penetration test assessment are:

  • Secure hardening issues
  • Encryption misconfiguration
  • Insecure patch management
  • Active directory security flaws
  • Insecure logging and monitoring controls
  • Password cracking based analysis
  • Authentication vulnerabilities
  • Sensitive information storage practices
  • Programming errors
  • OWASP top 10 application risks
  • OWASP top 10 API flaws

Measure your attack surface

Due to ever-expanding attack surfaces, it is important to keep a close eye on whether external footprints are shrinking or expanding. Digital attack surface assessment provides a point in time snapshot of security risks that threat actors could exploit.

It helps businesses identify high-risk areas and blind spots, including streamlining the security team’s efforts and lowering the risks of data breaches. 

Continuous security validation

In-house security teams have to prioritise their efforts due to constant pressures of Business As Usual (BAU) security requirements, internal process monitoring, day to day tasks and other responsibilities. It is a genuine challenge that has forced most organisations to rely on specialist security partner services that provide continuous security validation exercises remotely. 

The sourcing of managed security services provides a constant update on the infrastructure’s threats, whether they are internal, external networks or applications. It is different from a vulnerability assessment exercise that is usually an ad-hoc exercise. 

Discuss your concerns today

Demonstrating your protections

IT security compliance

IT Security Compliance is more than just a stamp. Several businesses benefits of successful compliance include avoiding fines and penalties, demonstrating cyber security commitment to your partners and supply chain and protecting your business reputation while enhancing data management abilities. 

GDPR, ISO 27001 assessments are part of our offerings that help businesses achieve certifications to demonstrate security and privacy compliance.  

Cyber Essentials 

The Cyber Essentials scheme is a certification scheme to help businesses demonstrate cyber hygiene to customers and stakeholders. This scheme covers five main control area that, when implemented, would help prevent the most common cyber attacks. 


Universities are and will continue to add research and generate intellectual property in the future. It makes these institutions constant targets for cyber attacks. 

Methods such as spear phishing and other social engineering-based techniques will evolve with time though remain the top attack vectors. The improvements in technology and processes may force attackers to improve their techniques. 

Cyber security is an ongoing fight against cyber crime and other threat actors, and universities must assess, analyse and mitigate the security risks on an ongoing basis. 

Get in touch to discuss your primary security concerns.