Cyberattacks on colleges are increasing both in frequency and in scope, according to new statistics seen by Tes Scotland.
One of the methods criminals are using against colleges is distributed denial of service attacks (DDoS). Criminals arrange for multiple computers, often based all over the globe, to repeatedly open a website at the same time. This floods the targeted network’s servers with a huge amount of web traffic which can knock them offline, meaning other users cannot access web-based services.
A quarter of colleges across the UK suffered a DDoS attack last year. The number of colleges being hit and the frequency of attacks are on the up, according to edtech company Jisc. There has been an average of 12 DDoS attacks a week against colleges in the UK in the first three months of this year – an increase of 27 per cent from the same period last year, with twice as many colleges being hit.
Like colleges across the UK, Scotland’s FE colleges are currently signed up to IT services provided by not-for-profit company Jisc, which offers them a high level of protection against cyberattacks through its Janet network. The contract for this is held by the Scottish Funding Council, and the service is therefore free for colleges at the point of use.
But Jisc could be about to experience a serious hit to its finances. The Westminster government’s Department for Education plans to significantly reduce funding for these services for colleges in England. College leaders there will have to decide whether to sign up independently for Jisc’s services or look for a cheaper but potentially less secure and comprehensive service.
Jisc has outlined that the “majority of colleges” down south should expect to pay in the region of £20,000 a year for the services they currently get for free – with large college groups potentially facing annual subscription bills of more than £100,000. The withdrawal of government funding in England has raised concerns about the future of Jisc and whether Scottish colleges will continue to receive the same level of service.
Paul Feldman, Jisc chief executive, says: “Arguably, our security team ensures that tertiary education is one of the most well protected of any UK business or industrial sector, and we believe that no other body can provide a better protection service to the sector. To our members, we are the fourth emergency service.”
Ken Thomson, principal of Forth Valley College and a trustee and board member of Jisc, says that, from a cybersecurity perspective, colleges need to be “absolutely on the ball”.
The threat to colleges, he explains, is obvious. “On a weekly basis, we have between 30-40 intrusion alerts,” he says. “There is a huge risk for colleges if you get this wrong. You really have to absolutely understand the [security] package you are getting.”
When security is not up to scratch there can be devastating consequences for organisations that the public relies on. It is one year to the day since computers around the world were hit by a cyber attack that employed a virus called WannaCry, a form of ransomware that encrypted files on an infected computer and threatened to delete them unless the victim paid a ransom.
The NHS computer system was badly hit and 20,000 hospital appointments and operations were cancelled across the UK. Ministers have since allocated an additional £196 million to boost cybersecurity in the NHS in England over the next two years.
In a recent report on the incident, Westminster’s Commons Public Accounts Select Committee acknowledged that “future attacks could be more sophisticated and malicious in intent”.
With more and more money at large and medium-sized enterprises being pumped into cyber security, criminals are increasingly targeting educational settings like colleges, says Nicholas Hartley, head of business development at Ecclesiastical Insurance, who covers cybersecurity. He says that colleges present unique challenges because of the need for students and staff to access files remotely, so the systems “can be a little bit porous”.
Hartley says what makes the college sector interesting in terms of cybersecurity is that there are external threats, but also threats can come from inside the college itself. “If you have tech-savvy students being taught how to code, some might like to show off their skills to their peers,” he explains. Just last year, a former Manchester College student was handed a 16-month suspended prison sentence for hacking into the Jisc network and then boasting about it on social media.
Shona Struthers, chief executive of Colleges Scotland, says that cybercrime is taken extremely seriously by colleges in Scotland. “Colleges work closely with the Scottish Funding Council to ensure the appropriate infrastructure and procedures are in place to mitigate the risk,” she explains.