Cyberattacks on colleges are more sophisticated, complicated and causing more disruption than ever, Jisc has warned.
According to data collected by the not-for-profit organisation and shared exclusively with Tes, colleges are experiencing an average of 12 attacks a week - and November 2019 and January 2020 saw more than 100 incidents in each month.
Overall, Jisc data shows that between February 2018 and January 2019 there were 608 attacks on colleges.
More: How prepared are colleges for cyber attacks?
Background: Colleges ‘over-estimating’ cyber-attack readiness
Opinion: FE sector ‘underinvesting in cybersecurity’
Cyberattacks have caused major disruption in colleges across the UK over the past couple of years.
Last month, Dundee and Angus College experienced an attack that shut down IT systems and resulted in the college closing for four days. In a statement on the college’s website, principal Grant Ritchie said staff had “worked around the clock to get the college up and running again”. A college spokesperson confirmed that there is an ongoing police investigation into the attack.
There were multiple high-profile cyberattacks in 2019. Swindon College was attacked in September. The Swindon Advertiser reported that hackers had gained access to current staff and students’ personal information as well as data retained from those who attended or worked at the college during the last eight years.
In November, staff and students at Loreto College in Manchester received an email sent from a teacher’s account saying that the college had been declared a “terrorist premises” and that an “attack is imminent”.
A spokesperson for Forth Valley College told Tes that it was the responsibility of everybody at the college to be “vigilant in order to reduce the risk associated with cyberattacks on our systems and college operations”.
They said: “Unfortunately, these attacks are on the increase and we must continually review, invest and adapt our systems to safeguard our networks and systems to mitigate the impact of potential attacks in the future.
“The safety and security of our systems are a key priority and as a result, we regularly review our processes, and deliver aware raising campaigns to staff and students to help prevent attacks.”
The head of Jisc’s security operations centre, John Chapman, said that in recent years there has been an increasing trend in attackers using multiple different attack methods to try to cause maximum disruption to an organisation.
He said: “Other attacks are more targeted to exploit vulnerabilities in applications, causing specific systems to slow down or fall over. There are many ways to launch different types of distributed denial of service attacks (DDoS), including combining different attack methods, so multiple defences need to be put in place to mitigate them. Some of the more persistent attackers also change their attack methods in response to mitigations that have been put in place.
“Any organisation that is online can be susceptible to cyberattacks - whether it is criminals trying to commit fraud or identity theft via phishing scams; people launching DDoS attacks to disrupt a network; or more targeted attacks that seek to steal intellectual property.”
The threat from students
Andy Barratt, managing director at cybersecurity firm Coalfire, said that one of the biggest threats to colleges was students themselves.
“If you look at a college, they have vast amounts of people all using relatively-open campus networks with a very high band-width available to them. You’ve got a lot of students with brand new devices, or devices that have been handed down to them like iPads, laptops, that might not have been secured.
“Those two elements are the sweet spot for a mass intrusion because you’ve got devices that can easily be compromised and a network management that isn’t looking for an intruder in the same way as a regulated environment.”
Student devices will hold lots of sensitive information like email addresses, bank details and log on passwords for a variety of sites, including social media. When they then connect those devices to the college network, that data becomes available for harvesting from potential attackers, said Mr Barratt.
He said that in order for colleges to protect themselves, they need to see these student devices as a threat.
“All of these student devices have the potential to be compromised and they are devices that you have no ability to apply security measures too. You really have to lock down the infrastructure you’re responsible for and become a service-orientated solution provider.
“Instead of saying, you can plug into our network and when you are in our network you can have access to your coursework submissions, our intranet etc, you need to start talking about being more of an internet service provider and having a series of platforms and network layers, instead of that wider open campus network.
“We cannot do anything about the fact that student devices will be compromised but what we can do is really defend the services that we offer in a much more fine-grained manner.”
How can colleges protect themselves?
In August 2019, the Education Skills and Funding Agency (ESFA) published a guide for education providers on cyberattacks. It says as a minimum providers should use firewalls, antivirus software and strong passwords and routinely back up data and restrict devices that are used to access.
It also recommended that staff be trained so that they ensure that they take precautions such as checking the sender of an email is genuine before sending payment, data or passwords, and make direct contact with the sender - without using the reply function - where the email requests a payment or change of bank details.
But Mr Barratt said that, first and foremost, colleges need to begin with the defence against the student population.
“If I was a new CIO of an institution with relatively rudimentary security, the first thing I’d do is say look, we can’t manage those devices. And then what you need is a more of a resilient mindset instead of a defence mindset so you can say, if something happens within the student estate it’s their responsibility.
“You have to give them awareness training, and make content available to remind them to do things with their devices. If a student gets compromised, you can say we need to lock out the student estates quickly so it doesn’t move laterally into the college infrastructure,” he said.
He added that colleges also need a security improvement pillar, which includes robust policies and procedures, centralising security resources at a more corporate level cybersecurity framework.
