UK schools not doing their homework on email security
As students at schools and colleges in the UK begin to return after the summer break, new research shows that 96 percent of the top 50 state secondary schools, 92 percent of the top 50 sixth-form colleges and 80 percent of the top 50 universities in the UK are lagging behind on basic cybersecurity measures, leaving students, staff and partners at risk of email-based impersonation attacks.
The research from cybersecurity company Proofpoint is based on an analysis of DMARC adoption and reveals that 70 percent of UK schools are currently taking no steps to protect themselves from domain impersonation by having no published DMARC record.
"The reason educational institutions remain a highly attractive target for cybercriminals is they hold large amounts of sensitive, personal, and financial data. They also have a wide mix of users and use-cases; and they provide vital facilities, so canceling exams, writing off grades, and cutting off services is not an option," says Matt Cooke, cybersecurity strategist at Proofpoint. "Email is how the majority of threats arrive at any organization, so tightening email security should be a top priority. All users should be educated on the techniques the attackers use to trick, coerce and encourage them to engage with their malicious content."
A National Cyber Security Centre (NCSC) and the National Grid for Learning (LGfL) audit of cybersecurity in schools identified that over three-quarters (78 percent) of UK schools as having experienced at least one type of cyber-incident in 2022.
Higher education institutions are making more progress towards DMARC adoption than schools, with 84 percent of the top UK universities and 78 percent of the top sixth-form colleges having started a journey towards DMARC adoption. Even so 92 percent of the UK's top 50 sixth-form colleges haven't implemented DMARC at the recommended level (reject) and the same is true for 80 percent of the universities.
"As people remain a critical line of defence against email fraud, educational institutions need to ensure that staff, students and parents are aware of basic security hygiene. Email authentication protocols like DMARC remain the best way to shore up email fraud defenses, eliminating domain spoofing or the risk of being impersonated. As holders of vast amounts of sensitive and critical data, we advise educational bodies across the UK to ensure that they have the strictest level of DMARC protection in place to protect those within their networks," adds Cooke.
You can find out more on the Proofpoint site.
Image credit: monkeybusiness/depositphotos.com