Universities: rich in knowledge, ripe for cyberattacks

The latest research into the state of cybersecurity defenses across universities in the UK shows some dismal stats. A quarter of universities report daily attacks, meaning that students, staff, and suppliers risk data and monetary theft. 

With freshers’ week a bleary, distant memory, and the autumn semester in full swing, criminals will be busy executing their carefully planned attacks on university students and employees. If you manage anything online, you’re fair game. 

But given the destitute reputation of students and the under-funded institutions, why don’t criminals switch focus to more lucrative organizations in finance, defense, or legal sectors where the payloads are so much higher?

Why target universities?

The most recent figures we could get our hands on suggested the UK university sector contributed £21.5 billion to the national economy. It’s worth more than you thought, right? Not only do universities bring money into our economy from international students, but many have vital roles in the country’s research posture, which in itself is worth a cool £22 million per university. 

That statistic right there is one of the biggest draws to compromising a university’s cybersecurity defenses – 93% of the research conducted at UK universities is commissioned by the government, making that research a point of interest for state-sponsored actors as well as cybercriminals on home soil. We can also assume that some of that research relates to national security, making those research departments a rich source of valuable data. 

So with personal data, intellectual property, and numerous income streams, universities need to be certain they’re defending all points of entry into their networks. 

The weakest link? 

As with any type of organization, universities need to ensure they’re protecting critical data and systems. One easy-to-ignore point of entry is email – most IT teams will reassure you that they have the latest and greatest email gateway protection, but many IT professionals fail to realize that even the tightest email gateway protection will be powerless against emails that purport to come from a legitimate source. 

Imagine you’re a research doctor working on a government-backed project, and the data you manage is GCHQ-level confidential. A colleague sends you an email asking for some of your research to be sent to them – it’s very last minute and very urgent and you haven’t got time to question it, so you attach the files to the email and hit ‘send’. It’s after your Vice Chancellor has been on the phone to your government research sponsor that you find out you’ve had a data breach of gargantuan proportions. How? A criminal impersonated your university’s domain and sent you an email that you believed to be real. 

It doesn’t take a degree… 

Only one form of email defense can stamp out these types of phishing attacks. DMARC (Domain-based Message Authentication, Reporting & Conformance) ensures that emails are authenticated before they come anywhere near your mailbox, and confirms that they’ve been sent from legitimate sources, blocking impersonated emails from reaching your spam or inbox.

Given DMARC is a government-backed tool, you’d assume most higher education institutions would have it in place to protect its students, staff, visitors and partners. So we checked. In 2019, we analysed the DMARC records of 172 higher education institutions in the UK, and found that 63% of universities didn’t have the protocol in place and were inadvertently putting users at risk of email fraud. The only good news from this research is that these figures were an improvement from our findings in 2017, when only 13% of the same institutions were using DMARC. 

The long-term damage from a breach goes beyond losing student funds or confidential data. It severely impacts the organization’s reputation – in the case of a university, this could lead to a major drop in funding, a stagnation in research, or worse still, state-sponsored attacks on related government agencies. 

If you want to find out more about the threat of cyberattacks in the education sector, the NCSC has recently published this report. And we’re a friendly bunch here too, so drop us a note to see if we can help you navigate your email impersonation.


Clare Holmes

22 Oct. 2019



Recent Posts


Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more

Navigating the Information Security Landscape: ISO 27001 vs. SOC 2

Red Sift

As cyber threats evolve, so do the standards and frameworks designed to combat them. Two of the most recognized standards in information security are ISO 27001 and SOC 2. What sets them apart, and which one is right for your organization? Let’s delve into the key differences. Purpose and Scope: Global Framework vs. Client-Centric…

Read more

G2 Summer 2024 Report: Red Sift OnDMARC’s Winning Streak Continues

Francesca Rünger-Field

We’re delighted to announce that Red Sift OnDMARC has again been named a Leader in G2’s DMARC category for Summer 2024. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift appeared in 11 reports – 5 new ones since Spring 2024! – earning 5 badges: A few…

Read more

Google will no longer trust Entrust certificates from October 2024

Red Sift

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now. On Thursday 27th June 2024, Google announced that it had…

Read more

Understanding the polyfill.io domain attack

Francesca Rünger-Field

tl;dr: The recent compromise of the polyfill.io domain has triggered a broad-reaching web supply chain attack, impacting over 100,000 websites across various sectors including finance, healthcare, non-profits, academia, and more. To ensure the security of your website, we strongly advise you immediately remove any reference to polyfill.io. Latest update: 27th June 2024 Sansec, a…

Read more