Cyber Security Update

Recent attacks in the sector, Common Cyber Security Myths, and the Importance of Awareness Training

How is it April 2022 already?! At least Spring is on the way, and we can look forward to longer and sunnier days (wishful thinking?). Whilst the weather may be changing, the pandemic continues to affect how we live our daily lives, albeit to a much lesser extent, and the Higher Education sector remains on a heightened alert due to the devastating situation in Ukraine.

Despite the sector (and many others) being on high alert and as a result, many bolstering their defences, increasing monitoring and vigilance, there have been several significant cyber-attacks recently, both within the Higher Education sector and within the Scottish Charity sector. Whilst there is currently no evidence to suggest that either of these attacks are linked to the escalating conflict in Ukraine, it goes to show how opportunistic cyber attackers are.

Whilst the University of Stirling has not been affected by either of the recent attacks, we are continuing with a dynamic and proactive approach and continuing to monitor our systems and services for suspicious activity. You may wonder why universities are often targeted by cyber-attacks. As one of our colleagues, Rory, outlined previously (see here for full article) universities have a wealth of personal and financial information, research data and intellectual property, but also a wide range of contacts and communications with a variety of stakeholders. This data means we are often a prime target so enabling staff and students to recognise suspicious activity and keep their data secure, is a huge part of our defences.

Common Cyber Security Myths

There are several cyber security myths out there, often perpetuated by certain imagery on TV (queue lone person with a hoodie on in a darkened room, entering code…) but many of them can be easily debunked.

The first one is usually the perception that only large companies or organisations are targeted. Whilst this is true in some cases, it is not the case for most. There are many different motivations for cyber attackers, some of which do not need to be political or even malicious but can be personal, which is where the insider threat can come into play. You will have heard of ex or current employees, whistle blowing (which is their right to do so) but some have chosen to handle things differently. Just think of Edward Snowden or Chelsea Manning as examples.

The second one is usually around cyber attackers being lone individuals or unorganised. Again, this is not the case for most cyber-attacks. I am sure most if not everyone will have heard of Anonymous. Most hacker groups tend to be large networks and appear to have a global reach, although there are still cases of solo attackers. Most attacks, given the complexity involved now, are well planned and thorough. If you are interested to hear more, the Lazarus Heist podcast, gives a good outline of the level of planning and resources required in stealing over $100 million dollars from a bank!

Another misconception is that anti-virus or anti malware software is enough to prevent cyber-attacks. Whilst anti-virus and anti-malware software is essential in any cyber security plan, it only protects against one type of cyber threat. Cyber-attacks are varied and ever changing but there are multiple different ways to bypass anti-virus and anti-malware software (this includes Apple devices too), such as phishing or ransomware. Whilst it is a good start, be aware that they are ways round anti-virus and anti-malware software so they will not protect you against every type of attack.

Importance of Information Security Awareness for staff and students

According to the ITRC* and this article here, there were significantly more data breaches (69%) in 2021 than in 2020. Most of the breaches were as a result of cyber-attacks and with the three most common causes being:

  • Phishing or Business Email Compromise
  • Ransomware
  • Malware

Unfortunately, staff and students are often targets for cyber-attacks but not because they think either of these groups are malicious (although in some cases, the insider threat is very real), however, in most cases, people are targeted as they are likely to make a mistake at some point, and majority of the time, it is not malicious and is unintended.

The most common data breach? Yup you guessed it, sending sensitive information to the wrong person, usually by entering the wrong email or misspelling a name. We know everyone makes mistakes so to help minimise accidental data loss or accident sharing, we are currently trialling several tools to minimise our ability to unintentionally share information. This may result in a few small changes in the future, but it will hopefully give you all peace of mind, knowing that the University is continually reviewing its process to make practices more secure and easier to use.

So why do we need staff to engage in training? Cyber-attacks are becoming increasingly more sophisticated and targeted and with new threats or methods of attack being discovered regularly, we need staff to feel confident in recognising suspicious or unusual behaviour and knowing how to report this. You may have heard about the HSE attack last year, which took down the Irish Health Service. The method of attack: malware released by a staff member clicking on an excel file attached to a phishing email. Contrary to what is portrayed in the media, the attackers did not inflict damage immediately, they gathered information and moved laterally through the IT systems before deploying ransomware approximately 8 weeks later, locking HSE out of all their data, including patient data.

This is one of the reasons, the University will continue to highlight and encourage engagement in Information Security Awareness training, as it is an important tool in keeping you and the University safe. If you haven’t already, please undertake the following training modules which can be accessed via Workrite:

We have also developed an animation which outlines the importance of being vigilant when receiving emails, clicking on links, or opening attachments.

The animation can be found here:

If you are unsure about whether an email or message is genuine, do not click on the links or open any attachments. If you do click on links or open an attachment, please make the Information Centre aware immediately as this will allow us to investigate as soon as possible and possibly contain any malware.