Jisc has released an updated version of its cyber impact report.
Designed to help those charged with data protection, risk management and cyber security leadership in HE institutions and research, the publication is a revised version of the original published in November 2022.
The major development, says the not-for-profit digital services supplier, is the growing volume and changing nature of ransomware attacks.
More than 100 individual schools have been affected by such attacks in the last year, while the number of FES and HE organisations impacted rose from 15 in 2020 to 18 last year.
“Ransomware attacks have also evolved over this time,” says the report, “with more threat actors applying ‘double extortion’ to their attacks, meaning not only are they demanding a ransom to provide a decryption key, but are also threatening to make sensitive data public if the ransom isn’t paid.”
You may also like: Safety net – staying fine online
The cyber impact report claims that the financial impact of data breaches is yet to be widely appreciated, citing a 2021 IBM and Ponemon Institute research that put the average cost to an institution in the education sector at more than £2.9m.
While acknowledging that such a figure “may seem unrealistic”, Jisc adds: “From [our] work in helping HE institutions and FES providers recover from ransomware incidents, we are aware of impact costs exceeding £2m.”
The report also highlights how many students – particularly international students – have proven susceptible to phishing scams.
We are aware of ransomware impact costs exceeding £2m – Jisc
One university told Jisc that, in a single year, around 200 of its students and staff members had fallen for voucher scams costing a combined £50,000-£100,000.
To that end, Jisc recommends that institutions should:
- publicise how criminals exploit current events
- help people to anticipate and expect scams
- demystify and de-sensationalise criminal activity
- explain the signs of a scam
- encourage people to report scams and make it easy to do so
- ensure victims are supported and not penalised
The news is by no means all bad. Thanks in no small part to Covid and the need to facilitate remote learning, institutions have become notably better at ensuring their systems cannot be accessed via a single password; as first reported in the 2021 Jisc Cyber Security Posture Survey, there has been a steep rise in the number of schools and HE institutions deploying of multifactor authentication (MFA) rollouts.
On the other hand, the report finds that the sudden rise in remote learning left security and IT staff under increased pressure.
One FE provider is quoted as saying: “We are doing our best, but all areas of IT support seem to be growing and requiring more attention, and it’s one part of a larger role, where its importance should be far greater. The pandemic has only stretched us further.”