NCSC releases first cyberthreat assessment for universities

The National Cyber Security Centre has released a report today outlining the threats facing UK universities and steps they can take to protect themselves

Cybersecurity threats to HE

The National Cyber Security Centre (NCSC) has today released its first threat report specifically for the HE sector.

The report shows that although phishing attacks and malware pose the most immediate, disruptive threat to universities, nation states looking to steal research pose a much more long-term threat.

You might also like: The university challenge – are academic institutions a national security weak link?
Louise Fellows, director, public sector UK&I at VMware, discusses the threats that universities face, and five points to consider in keeping one step ahead. Read full blog here.

Key effects of this long-term threat include:

  • Damage to the value of research, notably in STEM subjects,
  • A fall in investment by public or private sector in affected universities,
  • Damage to the UK’s knowledge advantage.

How universities can protect against cyber-attacks

Universities are encouraged to store potentially sensitive or high-value research separately, rather than keep it together in one area.

The report also found that due to the ‘outward-looking’ nature of the UK HE sector, the ease of collaboration over international borders also means that a cyber-attacker’s job is made easier.

The data held by universities that is most likely to be of interest to a nation state include:

  • Emails,
  • Bulk personal informationon staff and students,
  • Technical resources (e.g. documentation and standards),
  • Sensitive research and intellectual property.

Matt Lock, technical director at data security company Varonis, said: “The recommendations from the National Cyber Security Centre are spot on, but some universities will struggle to change outdated systems, gain control of digital files that are everywhere and open to everyone, and update information access to a least-privilege model.

“Funding is one factor, but so is managing data in a collaborative academic environment in which information must be shared, turnover is steady, and attackers have countless tools and tricks up their sleeves to compromise systems. Attackers will continue to win until UK universities make data protection a priority.”

The likelihood of attacks on universities

The likelihood of attacks happening is measured by the following scale, included in the report:

PHIA probability scale

Further measures to support universities in guarding against cybersecurity attacks are included in Trusted Research, a guidance resource for HE from the Centre for the Protection of National Infrastructure (CPNI) and the NCSC.

Sarah Lyons, deputy director for economy and society at the NCSC, said: “The NCSC’s assessment helps universities better understand the cyber threats they may face as part of the global and open nature of research and what they can do about it using a Trusted Research Approach.”

Update: Jisc’s head of security operations centre, Dr John Chapman, told ET today: “The NCSC’s report on the risks to universities reflects our own experiences and assessment of the current trend in threats to the sector. Jisc’s research over the past three years has shown that universities consider phishing attacks, social engineering and malware some of the biggest risks. To reduce the chances of staff and students falling victim to these tricks, we advocate a rolling programme of security awareness training for everyone as well as implementing technical controls. 

“Organisation-wide cyber security strategies with robust policies and procedures are more important than ever if universities are to protect the large amounts of valuable and sensitive research data that is becoming an increasing target from state-sponsored cyber criminals looking to exploit intellectual property for gain.

The full report can be viewed at