IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Every leading UK university is compromising on email security, researchers say

Proofpoint said none of the top ten universities in the UK have implemented the recommended email security policies, leaving institutions open to cyber attacks

Leading universities in the UK, US, and Australia have been criticised over ‘less than adequate’ cyber security practices by experts. 

Researchers at security company Proofpoint said every one of the top ten universities in the UK is failing to take “appropriate measures” to secure against email-based cyber attacks.

Looking at the top ten universities in the UK, US, and Australia together, the company concluded that 97% were failing to implement adequate security controls, leaving staff and students vulnerable to attacks.

The research focused on the universities’ implementation of the domain-based message authentication, reporting, and conformance (DMARC) protocol used to prevent domain spoofing.

DMARC offers three degrees of protection depending on the implementation and Proofpoint said none of the UK’s top universities have implemented the most secure method, the one that’s recommended.

The researchers said this opens up university staff and students to become victims of email fraud since the establishments don’t actively block fraudulent emails from reaching their targets.

Proofpoint said DMARC can either monitor, quarantine, or reject suspicious emails, with ‘reject’ offering the greatest protection since it prevents emails from appearing in targets’ inboxes.

It said ‘monitor’ allows emails to enter the inbox and ‘quarantine’ sees suspicious emails sent to spam folders. This is a weaker form of security but one that’s common so the suspicious nature is flagged to the user but can be corrected if it was deemed to be a false-positive detection.

The majority of universities (75%) only have the ‘monitoring’ policy in place meaning potentially malicious emails can make their way into inboxes freely.

Other companies suggest there are other ways to implement DMARC. Agari suggests if an email service is set up for quarantine, it means suspicious emails can be flagged to the administrator for further review. They will then determine whether or not to forward the email to the intended recipient.

This, according to Agari, differs from delivering to a spam folder, which can be a different implementation entirely.

Universities are often the targets of cyber attacks and numerous UK-based establishments have become high-profile victims in recent years, such as the University of Sunderland, the University of Northampton and the University of Hertfordshire.

Students are often seen as easy targets to a university’s systems given their relative inexperience in navigating large computer environments and cyber security practices, in addition to using personal devices on the network.

Related Resource

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

Whitepaper cover with title over a grey rectangle with header graphic and ESG logoFree Download

Universities are also high-profile targets for state-sponsored hacking groups given the high-value nature of the work stored at the institution.

Leading universities that are working on cutting-edge research are especially vulnerable to attacks from hostile forces looking to steal information and secrets, potentially related to national security.

“Higher education institutions are highly attractive targets for cyber criminals as they hold masses of sensitive personal and financial data,” said Adenike Cosgrove, cyber security strategist at Proofpoint. “The COVID-19 pandemic caused a rapid shift to remote learning which led to heightened cyber security challenges for education institutions opening them up to significant risks from malicious email-based cyber attacks, such as phishing.” 

“Email remains the most common vector for security compromises across all industries. In recent years, the frequency, sophistication, and cost of cyber attacks against universities have increased. It is the combination of these factors that make it especially concerning that none of UK top ten universities is fully DMARC-compliant.”

As universities prepare to welcome a fresh intake of students for the coming academic year, Proofpoint said the new students’ inexperience with cyber security could provide ample opportunity for cyber criminals to exploit email-based attacks on universities.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download


Education and government most at risk from email threats

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems

Attackers use CSS to fool anti-phishing systems

11 Nov 2021

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security

Why convenience is the biggest threat to your security

8 Aug 2022
Electrical explosion reported at Google's Iowa data centre
data centres

Electrical explosion reported at Google's Iowa data centre

9 Aug 2022