back to article No wonder Brit universities report hacks so often: Half of staff have had zero infosec training, apparently

Nearly half of British university staff say they have received no cybersecurity training, according to a recent survey. Most worryingly, 8 per cent of the 86 universities that answered pentesting biz Redscan's Freedom of Information questions said they had reported five or more breaches to the Information Commissioner's Office …

  1. Joe W Silver badge

    Mostly it's common sense for the users, don't click on stuff, don't visit sketchy sites, don't share your password.

    The problem is that running a special course for all staff and students is not feasible, with externally sourced courses it's a financial problem. Internally you could pull something off during the orientation phase of the first semester. I actually did run an intro course to our Linux pool a decade or so ago (ok, more than a decade).

    Plus isn't the theory that the digital naives don't need that?

    (I like the auto correct typo above.. Not on purpose)

    1. Headley_Grange Silver badge

      Common Sense

      I think it's a lot more than common sense. I regularly try to tell my family members about risks online. Most are gobsmacked to find out that an email can appear to have been sent my someone they know yet still contain dangerous content. As for it not being feasible to run courses - a simple cost-based risk evaluation should put paid to that - just ask the Garmin directors.

      1. veti Silver badge

        Re: Common Sense

        The financial question is, what is the return? Sure you can give basic training to everyone for £x thousand, but "basic training" will only do so much. And for the same money, you can probably hire one or more full time infosec specialists - which may be a better use of your budget.

        1. 2+2=5 Silver badge

          Re: Common Sense

          Agreed.

          Another way to look at it is to say that it's not a financial 'problem', it's a cost of doing business. Do they want to continue being a University is the question they should be asking themselves. Because ransomware attacks are not going to go away.

          On-line courses are naff and boring, but cover the basics quite well. Certainly better than nothing.

        2. Anubiss

          Re: Common Sense

          Hiring infosec specialists to bolt on controls after the system is designed , built, feilded only partially solves the problem. Systems that are fundamentally flawed (most systems) are systemically weak from a saftey, security, privacy perspective infosec folks need to be in the design and development team from the start of the project.

    2. Doctor Syntax Silver badge

      It ought to be part of the normal induction. No login ID nor .ac.uk email address without it.

      1. Mike 137 Silver badge

        part of normal induction

        Making it part of normal induction probably wouldn't help that much as normal induction is generally a perfunctory exercise run from a checklist. One time training won't stick either. Unless the entire corporate culture is security aware, nothing will really help. A lax culture breeds lax habits, and most corporate cultures I've encountered in a couple of decades of risk consulting are lax. Even "standards compliance" is rarely more than a paper exercise to satisfy periodic audit.

        Just for example, "don't click on links" doesn't work where the Board regularly circulate emails containing links to documents "all staff must familiarise themselves with". Expecting a busy non-technical staffer to be able to distinguish between a genuine email from the CEO and a bogus one is pie in the sky.

        However it shouldn't be possible for malicious code run at a user's workstation to spread throughout the infrastructure. Setting up and managing your infrastructure so it contains breaches locally rather than letting them spread globally is not beyond the realms of possibility. But this is rarely done, witness Equifax among many others. The fundamental problem is not expert adversaries, but inadequate defenders.

        1. Anonymous Coward
          Anonymous Coward

          Normal Induction

          I did some work for an oil company. There was an hour's induction course, mostly on safety - and it could have been described as perfunctory and checklist based, including rules about holding on to banisters when on staircases, reversing into parking spaces and the mandatory transporting of coffee in lifts. We were given a safety manual at the end of it and told to read it. The final part of the induction course was "...and if you break any of the rules your contract will be terminated on the spot and you'll be escorted off site". My first action after the course was to go and re-park my car properly and I assure you that I read and re-read the manual and took site safety very seriously.

    3. IGotOut Silver badge

      Thousands on Infosec training?

      What a pathetic excuse, I'll do it for a fraction of that.

      1. Produce a Youtube video with basics such as passwords, links and spotting dodgy websites. Make people watch it.

      2. Stick posters up saying stuff like "Don't Click It" or "Verify the source" rather than crap motivational posters.

      3. Randomly try basic social engineering work on people and make everyone aware ofbthe failures.

      Get it done for free by getting Cyber Security and Physcology Students to run the program.

    4. Stuart Castle Silver badge

      The thing is, it isn't always common sense. I've seen some phishing emails that really do look legit. Gone are the days when scammers would send out emails (with bad spelling and grammar) that just bluntly asked you to enter your login details into some website the URL of which bore no resemblance to their actual company website URL, to sort out some invented problem on your account.

      Some scammers do send out emails that look a lot like they come from Amazon, or Paypal, with URLS that are just a slight misspelling of the original. Even those that come from a scammer pretending to be an educational institution can look very convincing, Admittedly it *is* difficult for a scammer to get hold of an ".ac.uk" domain, but how many people would notice if the URL shown was <institution>.co.uk instead of <institution>.ac.uk (with <instituion> being any educational institution.

      Also, when determining the value of doing courses like this, you need to factor in the costs of a breach. Not only with the costs of the breach include the cost of any damage done to the institution and it's systems, but there will be a loss of reputation (hard to actually put a value on this), and there may be a legal cost, whether from legal action (users suing etc) or even fines from the ICO. Bear in mind that the ICO's maximum fines are calculated as a percentage of the institutions gross turnover, so can be many millions of pounds.

      Training isn't perfect, and no automated system will prevent 100% of scam emails organisation wide, but I would argue that both help reduce the chances of users getting and acting on scam emails, and a course costing a few thousand pounds is a lot better for the balance sheet than legal action that can run into the hundreds of thousands, or even millions of pounds.

    5. Cuddles Silver badge

      The problem is that such sense is clearly not common. Hence the need for actual training.

  2. Tomislav

    Re: Ah IT 'managers'

    Cybersecurity training, day 1, lesson 1 - don't use public cloud. :)

  3. Anonymous Coward
    Anonymous Coward

    Which is really ironic as I'm doing an online MSc in Computer Science with Cyber Security at guess where?

    University of York!

    1. Commswonk Silver badge

      University of York!

      Whereas all the others are at the University of Bork, I daresay.

    2. Anonymous Coward
      Anonymous Coward

      University of York!

      ... and did they make you do a relevant induction process?

  4. brotherelf

    Worryingly?

    I'm not worried about the 8% that report 5+ incidents. "Prof sends a mail to students and uses CC instead of BCC" is a data breach that technically needs to be reported. Frankly, "prof has former student's mail still in address book" is probably an incident in and of itself because the reason for processing is gone.

    I'm worried about the 92%, because I fear 91% don't look or don't report, and only 1% is running a proper shop.

    (And we all know that all it takes to make a university stop dead is a handful of current or former students requesting the full extent of information GDPR entitles them to. Yes, that includes paper files.)

  5. Anonymous Coward
    Anonymous Coward

    At the university where I work, we have an online training course on cyber security and data protection which is mandatory for all staff to complete annually. When we ran a phishing test a sizeable proportion of staff still clicked on the link in the fake phishing email.

    1. veti Silver badge

      This, right here, is the thing. The kind of training that can feasibly be delivered en masse to those sorts of numbers of people - is going to be of questionable value. Heck, the very fact that it's being given to everyone is probably enough to devalue it for some people, who will assume - not unreasonably - that if the bosses really cared, something more targeted would be happening.

    2. mikepren

      It's not if they click on the first link, it's if they still click after round 3.

      This has to be iterative

      1. monty75

        Chop one hand off each time they click on the phishing test. If they manage a third time they're probably beyond help

        1. Tascam Holiday
          Coat

          "Chop one hand off each time they click on the phishing test. If they manage a third time they're probably beyond help"

          That person we would call 'clever dick'

    3. lglethal Silver badge
      Facepalm

      I hope you ran your phishing test better than our firm. IT did up an interesting case, it looked like it could be legitimate, but with that slight whiff that made my alarm bells go in to warning mode... So i actually checked and whilst the email came from offsite (our IT providers own site, so not exactly an unknown or faked address), the phishing link was to a website within our firewall. So i clicked on it, as did a lot of others (admittedly most of the others probably didnt do the checks i did) and IT got all high and mighty that we had all fallen for their phishing scam, but the fact was they'd linked to one of our own websites and used their own email address kind of represented a massive fail on their part. If the scammers can set up a phishing pool on our own websites and use one of their email accounts to send out phishing emails, then we've got bigger problems, dont you think?

    4. Anonymous Coward
      Anonymous Coward

      Write it into their contract. Deduct 1 weeks pay for each time they click a link on a phishing email.

      Then start sending test emails every week. You'll be surprised how quickly some people learn.

    5. Anonymous Coward
      Anonymous Coward

      We have the same thing where I work. I let my (then) 3 year old son who couldn't really read at the time take the multiple guess test at the end....he passed

  6. Pascal Monett Silver badge

    Little by little, the lesson is sinking in

    Security. It's a thing you need to take into account. People are learning that the way they usually do : the hard way.

    In this particular case, it's not the universities that are at fault. It's one of their suppliers that was clueless. The only mistake the unis made was using that supplier.

    I'm guessing they won't learn anything from that either.

  7. Doctor Syntax Silver badge

    No need to worry, Privacy Figleaf and those special contract clauses will protect you.

    Of course as data subjects whose data got breached you can only take legal action in the US. Surely the class action lawyers must be right onto this already.

  8. Dr Dan Holdsworth
    FAIL

    Do not pay off criminals

    So now we have Blackbaud joining the ranks of the people who have paid extortion money, and think that a criminal is going to suddenly turn white as snow just because they have managed to screw some money out of a mark. This is the height of folly; paying a ransom merely demonstrates to the criminal that the info is worth money, something that they didn't know beforehand. Oh lookey here, now we have something of value in our hands; let's hawk it round the darknet forums and see what anyone else will pay for it...

    Idiots.

    1. IGotOut Silver badge

      Re: Do not pay off criminals

      Look at the numbers hit. If only 5% pay up, thats a huge amount of money with very little risk.

    2. Headley_Grange Silver badge

      Re: Do not pay off criminals

      So what do you do if your system is held to ransom and you can't bring it back and you've kicked all the "would've, should've could've" people out of the office?

  9. Anonymous Coward
    Anonymous Coward

    staff competence

    From my experience, part of the problem is the recruitment process, the salary for support staff, and general work procedures.

    In the places I've worked, all they've asked for is basic computer literacy as a desirable requirement for staff, if they even ask at all.

    And with the peanuts they pay admin staff, you get a very low number of applicants.

    When I started at an organisation a few years ago I was required to read and sign the staff rules. The section relating to computer use was a generic cut and paste piece of boilerplate that was at least 15 years out of date. One of the first things I did after joining was get them to re-write it.

    1. This post has been deleted by its author

  10. Anubiss

    Stop blaming the user - design better systems

    This is just another /blame the user/ article. Users will /always/ do dumb stuff, even after they are "trained". A better approach is to determine within a system/organization what are the bad things that the system owners dont want to happen(unacceptable loss), determine what typical kinds of hazardous control actions/conditions lead to those loses. Then design the system to prevent those things or place contraints/controls that completely disallows those things from occurring. If a system is too feature rich or too flexable... such that /its possible/ to do bad stuff, its because the lack of forsight, planning, training on the part of the /developers/ and the people who are paying them(owners). Stop blaming users for stupid design, stupid features, stupid user interfaces.....owners and developers are to blame. <I am both an owner and a developer>

    1. bob42

      Re: Stop blaming the user - design better systems

      The user has to have some responsibility. If I could design a system that 100% protected the user from themselves, and always did the right thing regardless of what the user did, well, I could then do away with the need for the users in the first place.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020