Happy to lose £300k to cyber crime? Get a university research partner

Posted by Gemma Sirett on February 27, 2020

A higher education research partner has the potential to be hugely beneficial for your business, both financially and reputationally. But universities – especially the well-funded, prestigious Russell Group – are an attractively lucrative target for cyber attacks, thanks to their invaluable research in the fields of science, economics, medicine, and defence.

State-sponsored attackers make a beeline for these research-intensive institutions, looking to gain a defensive or commercial advantage over the UK. No matter how secure your business’ defences are, if your university research partner’s IT estate is poorly protected, you’re opening your systems up to compromise.

Research projects generate a university an average of £22million per year, yet cyber security spend averages just 8% of their budget[1]. Although higher spend doesn’t necessarily equate to stronger security, this imbalance suggests that cyber security isn’t gaining the recognition and due attention it necessitates as a top priority and major business risk.

61% of universities claimed suffering a cyber attack had forced a research project to stop[2]. But there are longer-term, more significant effects – in such a fiercely competitive sector, reputation is everything. Suffering a cyber attack can lead to massive reputational damage and loss of trust in a higher education institution, which can affect its ability to attract research support and talent, including sponsors, partners, teaching staff, and students.

There are financial ramifications to consider too. 92% of UK universities said that a single successful cyber attack on research data could result in an estimated average loss of £300,000[3]. In the first half of 2018 alone, UK Finance estimated that UK university losses from cyber crime were a cool £145m[4]. And that’s just the figures for universities – consider what the financial loss would look like for your business if your research partner fell victim to a cyber attack.

So what are universities doing to combat the threat?

At the moment, not a lot. An NCSC report noted that “the proportion of UK universities achieving Cyber Essentials certification has almost trebled in a year”, increasing from 14% to 40%[5]. This sounds positive on the face of it until you look into what Cyber Essentials actually covers – it’s the bare minimum, common sense sort of stuff you’d be hard-pressed not have on your network by default. It’s far from a comprehensive, robust cyber security strategy, and won’t prevent sophisticated nation state threat actors from getting exactly what they want. It’s too little too late, and universities know it.

The same report noted that in contrast to primary and secondary education, nearly three-quarters of higher education providers have dedicated cyber security staff. While this is a positive sign, can their resource and capability can keep up with the myriad demands posed by the evolving threat landscape? Are they a sufficient match for highly-skilled, well-funded state-sponsored cyber attackers? The evidence against them doesn’t look good. The BBC reported that when testing the defences of over 50 UK universities, ethical hackers were able to access high value data (personal data, financial systems, and research networks) within two hours every single time[6].

Universities need to take bigger, bolder, more robust steps to protect themselves and their valuable research. Before embarking on a research partnership, make sure your business has a clear picture of the university’s cyber security posture – what level of risk are you exposing your systems to by partnering with them?

It’s time for higher education establishments to take a more proactive approach to their cyber security, which accurately reflects the substantial volume and severity of threats the sector faces – not just for universities themselves, but for the businesses and partnerships on which they rely.

  1. SC Magazine
  2. SC Magazine
  3. SC Magazine
  4. FE News
  5. NCSC
  6. BBC