No wonder Brit universities report hacks so often: Half of staff have had zero infosec training, apparently

Nearly half of British university staff say they have received no cybersecurity training, according to a recent survey.

Most worryingly, 8 per cent of the 86 universities that answered pentesting biz Redscan’s Freedom of Information questions said they had reported five or more breaches to the Information Commissioner’s Office over the past 12 months.

The concerning results continued when further education institutions were asked to disclose how much security training their staff received. 46 per cent of staff received no training at all, while one Russell Group uni said that just 12 per cent of its staff had received “any” training in infosec matters.

eye roll

Brit unis hit in Blackbaud hack inform students that their data was nicked, which has gone as well as you might expect


“The fact that such a large number of universities don’t deliver cybersecurity training to staff and students, nor commission independent penetration testing, is concerning,” said Redscan chief techie Mark Nicholls. “These are foundational elements of every security program and key to helping prevent data breaches.”

Making up for the lack of widespread security training was the level of dedicated infosec staff employed by universities, which stood at a grand averaged total of three qualified people. Those three people were at least supported by the 51 per cent of universities that said they did provide some cybersecurity training to their students.

The news comes as universities continue mopping up from the Blackbaud supply chain attack, where a provider of cloud-based CRM systems used for alumni relations and fundraising suffered a ransomware attack. Blackbaud then paid off the criminals, notifying customers two months later.

‘Blackbaud has stated this copy [of your data] was then destroyed’…. Well, if they say so!

Newcastle, De Montfort and Brunel Universities are the latest to tell students and alumni their data was handed to criminals. In an email seen by The Register, De Montfort warned its alumni: “Blackbaud has stated this copy [of your data] was then destroyed before it could be passed on further or misused, although this cannot be guaranteed.”

Newcastle University said that “no direct action in relation to this incident is required at this stage”.

Despite urgings from GCHQ and similar agencies to be on alert for cybersecurity threats, it appears universities are still largely fumbling in the dark. Last year the academic Joint Information Systems Committee (JISC) said a pentesting exercise it ran resulted in a 100 per cent compromise rate.

“Even at this time of intense budgetary pressure, institutions need to ensure that their cybersecurity teams receive the support they need to defend against sophisticated adversaries. Breaches have the potential to seriously impact organisations’ reputation and funding,” concluded Redscan’s Nicholls. ®