A new VMWare study suggests hidden troubles at many UK institutions

Britain’s universities are a globally-prized repository of research data, intellectual property and employ some of the world’s foremost thinkers on a wide range of subjects. To wit, this makes them an obvious target for the world’s cybercriminals, including those with political as well as commercial motivations. Universities also host hundreds of thousands of students and teachers, who must count as the most difficult network users imaginable because they are often workers and customers at the same time.

It is surprising that almost no effort has gone into finding out how well this vital sector has been coping with the cybercrime phenomenon. Recently, software firm VMware has had a stab at redressing this in a report that questioned senior IT people at 50 of the UK’s universities, the results of which gives an interesting insight into the possible damage that is being done and the dilemmas faced by these institutions when defending themselves.

Computerworld UK is normally sceptical about vendor-driven surveys based on small sample sizes but in the case of universities, 50 institutions is roughly a third of the entire sector and offers a good number to start building a picture of what might be going on.

On some levels, VMware’s findings are much as might be expected – universities are being aggressively targeted in much the same way as many other sectors in the UK and beyond. The study doesn’t offer a lot of detail but does at least raise some larger and pertinent issues.

Students are the primary target: In terms of the volume of attacks, the main target for external hackers is students, although half of the university professionals also rated students as being a major risk in and of themselves. Most of this was down to ignorance of security risks and a cavalier attitude to online safety mixed with a small level of deliberately malicious behaviour.

Frequency of attacks: Nine out of ten universities admitted to having suffered at least one successful cyberattack (e.g. on students or theft of IP) with about the same number believing these to be increasing. A third of universities said these were now happening on an hourly basis.

Types of attack: Following on from this, slightly more than four in ten universities had experienced the loss of student data including dissertation materials and exam results, 25 percent had experienced the loss of IP while 28 percent reported that research data had been the main target.

Are universities defences up to the job? Universities are publically-funded and, in the UK at least, always short of money. Not surprisingly, two thirds said that their existing IT infrastructure was not up to the job, a quarter thought their datacentre was ‘inadequate’ while almost nine in ten believed more funding would be necessary to protect university IP going forward.

Too much old equipment: Universities are still over-reliant on a lot of traditional security such as firewalls and antivirus that wouldn’t have been out of place in the 1990s, suggests VMWare’s UK Government and Public Services director, Tim Hearn. Perhaps, then, it is about money, at least in part. Equipment will have to replaced in the immediate future, a time when budgets will be under huge pressure. A deeper question is whether universities have specialised needs – balancing a need to share but also protect - that can’t easily be protected by general-purpose IT security architectures. University IT defeats simple models of perimeter security, especially as a rapid migration to cloud computing continues apace.

Security doesn’t add enough obvious value: No student or staff member assesses a university’s security posture before agreeing to study or work there. It is just assumed that security has been dealt with. This might be changing. Reputational damage seems remote for universities but that might no longer be the case with nearly eight in ten claiming to have suffered loss of reputation as the result of a cyberattack.

Reaching vice chancellors: Every enterprise security 101 implores organisations to bridge the culture gap between managers, in this case vice chancellors, and IT. In universities, which are complex organisations, that might be easier said than done. University management structures seem to vary from institution to institution.

Reconciling complex values such as openness: According to VMWare’s Hearn, the problem is less about not having the money to fix problems as having to reconcile security with the understandably deeply-ingrained value of openness on which universities are founded.

“The whole idea of a university is to encourage openness. There has been a reluctance to invest in security…that might compromise that,” he told Computerworld UK. “It is incredibly difficult to get the balance right.” This culture of openness also explains why valuable and sometimes sensitive data and code is sometimes posted on public forums when it shouldn’t be.

UK universities under cyberattack - can higher education defend itself?

Universities as businesses in denial: Are these values of openness out of date? In short, no, but the conception of how universities work is changing in subtle ways. Universities and researchers scramble for money in a funding market with finite resources and yet universities still struggle to think of themselves as full-fledged businesses. If they did, VMWare suggests, they might invest more in security and secure processes.