A test of UK university defences against cyber-attacks found that in every case hackers were able to obtain “high-value” data in less than two hours.
The tests were carried out by ethical hackers working for Jisc (formerly the Joint Information Systems Committee), the agency that provides internet services to the UK’s universities and research centres. They were able to access personal data, finance systems and research networks.
University research projects have been major hacking targets, with more than 1,000 cyber-attacks last year. Penetration testing was carried out on more than 50 universities in the UK. Some were subject to multiple attacks.
A report into their effectiveness, published by Jisc and the Higher Education Policy Institute (Hepi), showed a 100% success rate in getting through the cyber-defences. Within two hours, and in some cases one hour, they were able to reach student and staff personal information, override financial systems and access research databases.
The tests were carried out by Jisc’s in-house team of ethical hackers.
John Chapman, head of Jisc’s security operations centre, warned of the risk of a “disastrous data breach or network outage”. On the basis of the test results he said: “we are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment”.
A Universities UK spokeswoman said university leaders were working with the National Cyber Security Centre (NCSC) to “help improve and strengthen security practices to better protect the sector from cyber threats”.
“Data security is an absolute priority,” she added.