A Freedom of Information (FoI) request has illustrated the cyber security threats facing UK universities, with 70 percent of respondents admitting to falling victim to a phishing attack.
For each of the 51 respondents to the FoI request, an individual was tricked into disclosing personal details via an email pretending to be from a trusted source.
The findings follow a recent warning from Action Fraud, the UK’s Fraud and Cybercrime Reporting Centre, of a phishing scam that is specifically targeting UK universities in the form of fake pay rise emails that direct victims to click on a malicious link.
Twelve of the universities who responded said they had been attacked more than ten times in the past year, with seven (including Oxford University) reporting to have been hit more than 50 times in the same timeframe.
In terms of responses, only two universities said they were able to apply patches and upgrades to systems with 48 hours of the attack notification and four said it typically takes longer than 30 days to implement such updates.
“The challenge is that phishing attacks are increasingly sophisticated – a targeted spear phishing attack can be particularly difficult to spot – but they can ultimately compromise the security of the entire network,” said Henry Seddon, Vice President of EMEA at Duo Security.
“Universities need to be vigilant and practice good cyber security hygiene: security updates should be installed as soon as they are available as attacks delivered via phishing campaigns can specifically target out-of-date systems or unpatched software.
“Education is vital, so keep staff and students updated on the risks that phishing can pose – advising them not to click on any links or attachments that look suspicious.“
As has been well advertised, phishing attacks were one of the most prominent threat vectors in 2016, targeting organisations in all manner of industries.
Apple users, for example, were targeted with a text message scam timed to coincide with October’s clock change in the UK and the personal details of thousands of Seagate employees were stolen after an employee was tricked by a bogus email.
And the trend has continued in 2017, as phishing attacks have targeted the likes of Netflix, McDonald’s and even the Saudi Arabian government.