UK universities have come under fire for alleged “less than adequate” cybersecurity practices, according to a report.
Security vendor Proofpoint assessed leading colleges and found 100% failed to protect against fraudulent emails.
The figure was 97% in other parts of the world.
The research focused on the universities’ implementation of the domain-based message authentication, reporting, and conformance (DMARC) protocol used to prevent domain ‘spoofing’.
DMARC gives three degrees of protection depending on the implementation and Proofpoint claimed none of the UK’s top universities have implemented the most secure method, the one that is recommended.
Proofpoint said DMARC can either monitor, quarantine, or reject suspicious emails, with ‘reject’ offering the greatest protection since it prevents emails from appearing in targets’ inboxes.
The majority of universities (75%) only have the ‘monitoring’ policy with the result that potentially malicious emails can make their way into inboxes freely.
Adenike Cosgrove, Cyber Security Strategist at Proofpoint, said: “Higher education institutions are highly attractive targets for cyber criminals as they hold masses of sensitive personal and financial data.
“The COVID-19 pandemic caused a rapid shift to remote learning which led to heightened cyber security challenges for education institutions opening them up to significant risks from malicious email-based cyber attacks, such as phishing.
“Email remains the most common vector for security compromises across all industries. In recent years, the frequency, sophistication, and cost of cyber attacks against universities have increased. It is the combination of these factors that make it especially concerning that none of UK top ten universities is fully DMARC-compliant.”
Universities may be vulnerable when a new intake of students for the coming academic year, cybercriminals could target the academic institutions with email attacks.
According to Proofpoint, the World Economic Forum reports that 95% of cybersecurity issues are traced to human error, yet according to Proofpoint’s recent Voice of the CISO report, Chief Information Security Officers (CISOs) in the education sector underestimate these threats, with only 47% believing users to be their organisation’s most significant risk. Concerningly, education sector CISOs also felt the least backed by their organisation, compared to all other industries.
With the shift to remote (and more recently, hybrid) learning, Proofpoint experts anticipate that the threat to universities will continue to increase. The lack of protection against email fraud is commonplace across the education sector, exposing countless parties to impostor emails, also referred to as business email compromise (BEC).
BECs are a form of social engineering designed to trick victims into thinking they have received a legitimate email from an organisation or institution. Cybercriminals use this technique to extract personal information from students and staff by using luring techniques and disguising emails as messages from the university IT department, administration, or a campus group, often directing users to fake landing pages to harvest credentials.
“Email authentication protocols like DMARC are the best way to shore up email fraud defences and protect students, staff, and alumni from malicious attacks. As holders of vast amounts of sensitive and critical data, we advise universities across the UK to ensure that they have the strictest level of DMARC protocol in place to protect those within their networks.
“”People are a critical line of defence against email fraud but their actions remain one of the biggest vulnerabilities for organisations. DMARC remains the only technology capable of not only defending against but eliminating domain spoofing or the risk of being impersonated. When fully compliant with DMARC, a malicious email can’t reach your inbox, removing the risk of human interference,” concluded Cosgrove.
Proofpoint, Inc. is a cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks.