A quarter of universities have been attacked at least eleven times in past 12 months, according to FOI respondents
LONDON - April 26, 2017 - 70 percent of UK universities that responded to a Freedom of Information (FoI) request have reported that they have fallen victim to a phishing attack in which an individual has been tricked into disclosing personal details via an email purporting to be from a trusted source. Duo Security, the leading cloud-based trusted access provider, made the FoI requests to 70 universities across the UK in November 2016, of which 51 responded.
These findings follow a recent warning from the UK's Fraud and Cybercrime Centre, Action Fraud, of a phishing scam specifically targeting UK university staff. The bogus email claims the recipient is due for a pay increase, then directs them to click on a link and enter financial details and university logins.
The FoI findings also reveal the frequency with which universities are targeted by phishing attacks, with 12 of these universities reporting they had been attacked more than ten times in the past year. Seven of the universities that responded, including those with GCHQ Certified degree courses 1 - Oxford University and Cranfield University - reported they had been struck more than 50 times.
When asked about specific security measures in place for digital devices, operating systems and apps which access the corporate network, only two universities reported they were able to apply patches and upgrades within 48 hours of notification. Four of the universities reported that it typically took longer than 30 days to implement these updates.
Henry Seddon, Vice President of EMEA for Duo Security, comments: “The findings reveal that universities – staff and students – make popular targets for these attacks, which leaves them vulnerable to all kinds of security risks. The challenge is that phishing attacks are increasingly sophisticated – a targeted spear phishing attack can be particularly difficult to spot – but they can ultimately compromise the security of the entire network. They open the doors to hackers, with stolen credentials, to access an organisation’s system virtually undetected, posing as an authorised user. Worryingly, phishing is now the most popular way of delivering ransomware onto an organisation’s network.”
Seddon continues: “Universities need to be vigilant and practice good cyber security hygiene: security updates should be installed as soon as they are available as attacks delivered via phishing campaigns can specifically target out-of-date systems or unpatched software. Education is vital, so keep staff and students updated on the risks that phishing can pose – advising them not to click on any links or attachments that look suspicious.“
For more information on the study and phishing prevention tips, please visit Duo’s blog.
Notes for Editors GCHQ Certified Degree Courses: https://www.ncsc.gov.uk/information/gchq-certified-degrees
About Duo Security: Duo Security is a cloud-based Trusted Access provider protecting thousands of the world’s largest and fastest-growing companies and organizations, including Dresser-Rand Group, Etsy, Facebook, K-Swiss, Paramount Pictures, Random House, SuddenLink, Toyota, Twitter, Yelp, Zillow and more. Duo’s innovative and easy-to-use technology can be quickly deployed to protect users, data and applications from breaches, credential theft and account takeover. The Ann Arbor, Michigan-based company also has offices in San Mateo, California; Austin, Texas and London. Duo is backed by Benchmark, Google Ventures, Radar Partners, Redpoint Ventures and True Ventures. Try it for free at duo.com.
Meredith Corley & Jordan Fylonenko