Every leading UK university is compromising on email security, researchers say

Minimalist design of an envelope with red notification badges symbolising emails, against a powder green background
(Image credit: Shutterstock)

Leading universities in the UK, US, and Australia have been criticised over ‘less than adequate’ cyber security practices by experts.

Researchers at security company Proofpoint said every one of the top ten universities in the UK is failing to take “appropriate measures” to secure against email-based cyber attacks.

Looking at the top ten universities in the UK, US, and Australia together, the company concluded that 97% were failing to implement adequate security controls, leaving staff and students vulnerable to attacks.

The research focused on the universities’ implementation of the domain-based message authentication, reporting, and conformance (DMARC) protocol used to prevent domain spoofing.

DMARC offers three degrees of protection depending on the implementation and Proofpoint said none of the UK’s top universities have implemented the most secure method, the one that’s recommended.

The researchers said this opens up university staff and students to become victims of email fraud since the establishments don’t actively block fraudulent emails from reaching their targets.

Proofpoint said DMARC can either monitor, quarantine, or reject suspicious emails, with ‘reject’ offering the greatest protection since it prevents emails from appearing in targets’ inboxes.

It said ‘monitor’ allows emails to enter the inbox and ‘quarantine’ sees suspicious emails sent to spam folders. This is a weaker form of security but one that’s common so the suspicious nature is flagged to the user but can be corrected if it was deemed to be a false-positive detection.

The majority of universities (75%) only have the ‘monitoring’ policy in place meaning potentially malicious emails can make their way into inboxes freely.

Other companies suggest there are other ways to implement DMARC. Agari suggests if an email service is set up for quarantine, it means suspicious emails can be flagged to the administrator for further review. They will then determine whether or not to forward the email to the intended recipient.

This, according to Agari, differs from delivering to a spam folder, which can be a different implementation entirely.

Universities are often the targets of cyber attacks and numerous UK-based establishments have become high-profile victims in recent years, such as the University of Sunderland, the University of Northampton and the University of Hertfordshire.

Students are often seen as easy targets to a university’s systems given their relative inexperience in navigating large computer environments and cyber security practices, in addition to using personal devices on the network.


Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency


Universities are also high-profile targets for state-sponsored hacking groups given the high-value nature of the work stored at the institution.

Leading universities that are working on cutting-edge research are especially vulnerable to attacks from hostile forces looking to steal information and secrets, potentially related to national security.

“Higher education institutions are highly attractive targets for cyber criminals as they hold masses of sensitive personal and financial data,” said Adenike Cosgrove, cyber security strategist at Proofpoint. “The COVID-19 pandemic caused a rapid shift to remote learning which led to heightened cyber security challenges for education institutions opening them up to significant risks from malicious email-based cyber attacks, such as phishing.”

“Email remains the most common vector for security compromises across all industries. In recent years, the frequency, sophistication, and cost of cyber attacks against universities have increased. It is the combination of these factors that make it especially concerning that none of UK top ten universities is fully DMARC-compliant.”

As universities prepare to welcome a fresh intake of students for the coming academic year, Proofpoint said the new students’ inexperience with cyber security could provide ample opportunity for cyber criminals to exploit email-based attacks on universities.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.