Explainers & Guides

TPRM in Higher Education: Securing UK Universities from Cyber Attacks

Recent hacks into university data and systems highlight the importance of TPRM in higher education. Find out what this means.

TPRM in Higher Education: Securing UK Universities from Cyber AttacksTPRM in Higher Education: Securing UK Universities from Cyber Attacks

The 2023 Cybersecurity Breaches Survey revealed that 85% of UK universities have experienced some form of data breach, highlighting the growing cyber security risks faced by higher education institutions. 

According to a recent government review, these institutions are considered "vulnerable" and are increasingly "targeted" by hostile states, particularly China. As a result, university leaders have received security service Cobra briefings to address these threats. The Deputy Prime Minister, Oliver Dowden, emphasised the need to balance academic freedom with national security concerns. 

Just as for financial institutions, Third-Party Risk Management (TPRM) has become a vital part of the strategy for protecting student, staff, and sensitive research data as well as university systems from cyber threats. 

Here, we explore the importance of TPRM in the higher education sector and provide practical guidance for implementing effective measures to ensure the protection and security of institutional and personal data from potentially malicious actors.

Why TPRM Has Become A Priority in Higher Education

Cyber security has become a pressing concern for universities within the United Kingdom, and TPRM has a vital part to play in the strategy to address the unique challenges faced by these institutions. Several factors have contributed to the heightened urgency of implementing solid TPRM programmes in the higher education sector in recent years.

Rising Geopolitical Tensions

With escalating geopolitical tensions and the rise of state-sponsored cyber threats, universities have become prime targets for adversaries seeking to gain unauthorised access to valuable research data, intellectual property, and sensitive information. 

Nation-state actors may attempt to exploit vulnerabilities in university systems to steal proprietary research, disrupt operations, or conduct cyber espionage activities.

Universities' Unique Vulnerabilities

Universities face unique challenges regarding cyber security due to their open and collaborative nature and the rolling number of individuals having access to their systems. 

With thousands of students, faculty, and staff members using university networks and resources, the attack surface is significantly larger than for many other organisations. This increased exposure, coupled with the variety of devices and software used, makes universities more vulnerable to cyber threats. 

Thus, it is essential that universities and the UK government adopt an institutional-level approach to protecting these institutions and their valuable data.  

Suppliers: A Potential Weak Link

One of the primary concerns for universities should be the potential vulnerabilities in universities’ vast ecosystem of third-party suppliers and vendors

Educational institutions often rely on numerous external partners for various services, including:

  • Cloud computing
  • Software solutions
  • Outsourced operations
  • And many other service providers 

However, many universities lack effective TPRM programmes, leaving them exposed to risks introduced by these external relationships to their systems and data.

Why Is Student, Staff, and Research Data Vulnerable, and What Types of Data Exist?

Universities possess a wealth of sensitive data that is valuable to cyber criminals and nation-state actors. Different types of data that exist include:

Student Data 

Educational institutions collect and store personal data on their students, including names, addresses, phone numbers, email addresses, health as well as financial information such as student loan details or tuition payment records. 

If compromised, cyber criminals could exploit this data for identity theft, fraud, or other malicious activities. Moreover, sensitive information relating to academic records, disciplinary actions, and in particular health records could also be targeted, leading to potential privacy violations and legal consequences.

Staff Data 

Like student data, universities maintain personal and financial information about their employees, including faculty, administrators, and support staff. This data often includes sensitive details such as social security numbers, banking information, and employment records. 

A breach of staff data could lead to identity theft, financial fraud, or even extortion attempts targeting employees.

Research Data 

Many universities conduct groundbreaking research in various fields, including science, technology, medicine, and engineering, some of which is not only of potential commercial interest, but could also have sensitive national security implications, think for example of sensitive research in bioscience or virology.

This research data holds immense value and could be targeted by corporate competitors, foreign governments, or other malicious actors seeking to gain an unfair advantage or steal proprietary information.

The theft or misuse of research data could compromise years of intellectual property and undermine the competitive edge of universities and their partners.

Intellectual Property 

Beyond research data, universities generate valuable intellectual property through research and academia.  

This includes patents, copyrights, trade secrets, and other proprietary information. Cyber criminals can profit financially if they successfully steal such information, or nation-states could use it to advance their own technological capabilities, posing significant risks to universities' competitiveness and reputation.

Financial Records 

Like any organisation, including energy providers and medical centres, universities handle sensitive financial data, including payroll information, budgets, donor records, and investment portfolios. A breach of this data could lead to financial losses, reputational damage, and legal implications. Cybercriminals may seek to exploit financial records for fraud, extortion, or other illicit activities.

Strategies to Protect University Data and Systems Using TPRM

Implementing a comprehensive TPRM programme is vital for universities to mitigate the risks associated with third-party suppliers and vendors. Here are some strategies to consider:

  1. Vendor Risk Assessment: Conduct thorough risk assessments of all third-party vendors and suppliers before engaging their services. Evaluate their cyber security practices, data handling procedures, and overall risk profile.
  2. Contractual Obligations: Ensure contracts with third-party vendors include well-defined cyber security and data protection clauses, clearly outlining their responsibilities, security requirements, and penalties for non-compliance.
  3. Continuous Monitoring: Implement a continuous monitoring process to assess and evaluate the cyber security posture of third-party vendors regularly. This may involve periodic audits, security reviews, or the use of automated monitoring tools.
  4. Incident Response Planning: Develop a comprehensive incident response plan that addresses potential breaches or security incidents involving third-party vendors. Clearly define roles, responsibilities, and communication channels for a swift and coordinated response.
  5. Employee Training and Awareness: Provide regular cyber security training and awareness programmes for university staff and students. Educate them on the risks associated with third-party vendors, recognising potential threats, and following best practices for data handling and security.
  6. Centralised Vendor Management: Implement a centralised vendor management system to track and manage all third-party relationships. Maintain up-to-date information on vendor contracts, risk assessments, and compliance status.
  7. Collaboration and Information Sharing: Foster collaboration and information sharing within the higher education community. Participate in industry forums, share best practices, and leverage collective knowledge to enhance cyber security efforts and TPRM strategies.

Higher Education TPRM Case Studies and How Risk Ledger Can Help

Let's examine some real-world case studies to better understand the impact of supply chain attacks in higher education. These data breaches serve as stark reminders of the far-reaching consequences of a single compromised vendor or third-party partner.

Blackbaud Hack, 2020 

In 2020, a significant data breach occurred at Blackbaud, a cloud-based software provider widely used by educational institutions for fundraising and alumni management. 

Over 20 UK universities, including the University of Birmingham, De Montfort University, and the University of Exeter, were impacted by this incident. Cyber criminals targeted Blackbaud's systems, compromising sensitive personal data of students, alumni, and donors held by these institutions. 

This breach highlighted the ripple effect a single vendor's security lapse can have on numerous universities, emphasising the urgent need for comprehensive TPRM measures to secure universities’ corporate supply chains.

University of Greenwich, 2018 

In 2018, the University of Greenwich fell victim to a cyber security breach that exposed the sensitive data of nearly 20,000 individuals, including students, staff, and alumni. 

Hackers exploited an unsecured microsite hosted by a third-party vendor, gaining unauthorised access to personal information such as names, addresses, and phone numbers. 

In particular, this incident underscored the importance of proactive TPRM practices, as the University was fined £120,000 by the ICO for “ not having the appropriate technical and organisational measures in place for ensuring security.” 

Risk Ledger, a leading provider of TPRM solutions, offers a comprehensive platform designed to help higher education institutions effectively manage and mitigate third-party risks. 

Through Risk Ledger's solutions, higher education institutions can gain greater visibility into their third-party ecosystem, identify and address potential vulnerabilities, and ultimately enhance the protection of sensitive data and critical systems. 

By prioritising TPRM and securing their corporate supply chain, universities can safeguard student data, protect intellectual property, and maintain the trust and reputation of their esteemed institutions in an ever-evolving cyber security landscape.

Explainers & Guides

Download for free

By submitting this form, you agree to Risk Ledger’s Terms of Service, Privacy Policy, and Risk Ledger contacting you.

Thank you!
Oops! Something went wrong while submitting the form.
Explainers & Guides

Download for free

Pattern Trapezoid Mesh

Join our growing community

Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.