Most colleges in the UK are currently signed up to IT services provided by not-for-profit edtech company Jisc, which offers them a high level of protection against cyberattacks through its Janet Network.
However, from August 2019, the Department for Education says it will reduce funding for Jisc, forcing it to move to a “mixed-funding model” in England. College leaders will have to decide whether to sign up independently to Jisc’s services or look elsewhere for a cheaper, but potentially less secure, service.
This comes at a crucial time – cyberattacks on college computer systems are increasing both in frequency and in scope, according to new statistics seen by Tes. One of the methods criminals are using against colleges are distributed denial of service (DDoS) attacks. Criminals will arrange for multiple computers, often based all over the globe, to repeatedly open a website at the same time. This floods the targeted network’s servers with a huge amount of web traffic, which can knock them offline, meaning other users cannot access web-based services.
A quarter of colleges suffered a DDoS attack last year. Both the number of colleges being hit and the frequency of attacks is on the rise, according to Jisc. There were, on average, 12 DDoS attacks per week against colleges in the UK in the first three months of this year – an increase of 27 per cent compared with the same period last year, with twice as many colleges being hit.
Jisc has provided services for FE colleges since 1999, and Robin Ghurbhurun, principal at Richmond upon Thames College, points out that many leaders in FE are not aware of the service they receive because “it has always been there”.
'The fourth emergency service'
“If we look at cybersecurity,” he says, “my college could literally be under attack and I wouldn’t even know about it because of the strength of service Jisc provides.”
Jisc chief executive Paul Feldman agrees: “Arguably, our security team ensures that tertiary education is one of the most wellprotected of any UK business or industrial sector, and we believe that no other body can provide a better protection service to the sector. To our members, we are the fourth emergency service.”
Jisc has outlined that in a new subscription model the “majority of colleges” could expect to pay in the region of £20,000 a year for the services they currently get for free – with large college groups potentially facing annual subscription bills of more than £100,000.
Ken Thomson, principal of Forth Valley College and a trustee and board member of Jisc, says that from a cybersecurity perspective, colleges need to be “absolutely on the ball”. The threat to colleges, he explains, is obvious: “On a weekly basis, we have between 30 and 40 intrusion alerts.”
He adds that colleges should not be tempted to simply look for a cheaper alternative to Jisc once the subscription model comes into being – which will not be introduced in Scotland – and should be completely aware of whether any alternative package offers the same protection. “There is a huge risk for colleges if you get this wrong,” he says. “You really have to absolutely understand the package you are getting.”
Ghurbhurun, meanwhile, warns that in seeking a similar, cheaper, service to Jisc, there is no guarantee that the quality of service would be the same. “And if it fails, the risk to the organisation, staff and learners would be significant,” he says. “That is a risk I am not willing to take.”
When security is not up to scratch, there can be devastating consequences for organisations upon which the public relies.
It is one year nearly to the day since computers around the world were hit by a cyberattack that employed ransomware called WannaCry, which encrypted files on infected computers and threatened to delete them unless the victim paid a ransom. The NHS computer system was badly hit and 20,000 hospital appointments and operations were cancelled across the UK.
Ministers have since allocated an additional £196 million to boost cybersecurity in the NHS over the next two years. In a recent report on the incident, the Public Accounts Select Committee acknowledged that “future attacks could be more sophisticated and malicious in intent”.
With large and medium-sized enterprises increasingly pumping money into their cybersecurity, criminals are tending to target softer targets including educational settings such as colleges, says Nicholas Hartley, head of business development, who covers cybersecurity at Ecclesiastical Insurance. He says colleges present unique challenges because of the need for students and staff to access files remotely, so the systems “can be a little bit porous”.
Hartley says that what makes the college sector interesting is that threats can arise both internally and externally. “If you have tech-savvy students being taught how to code, some might like to show off their skills to their peers,” he says. Just last year, a former Manchester College student was handed a 16-month suspended prison sentence for hacking into the Jisc Network and then boasting about it on social media.
Julian Gravatt, deputy chief executive of the Association of Colleges, says: “Cybersecurity is one of the biggest issues facing all organisations, big and small, and colleges are no exception. It is worth reminding the government that college budgets have been hit harder than any other part of the education system over the past eight years and cuts to Jisc funding will make it more difficult to protect against cyber intrusions, and as a result, colleges are potentially more vulnerable.
“We will continue to work with Jisc and other partners to ensure that colleges are properly equipped to tackle current and future challenges, while continuing to push the government to fairly fund FE.”
A DfE spokesperson says: “Colleges must take responsibility for their own cybersecurity and ensure they have good measures in place to protect against online threats. Our grant to Jisc ensures they are able to provide a secure and high-quality service at an affordable cost to colleges.
“Cybersecurity is a top priority for the government. We are investing £1.9 billion in the national cybersecurity strategy and have opened the National Cyber Security Centre, which is working with public and private sector organisations to make the UK the safest place for everyone to live and work online.”