Skip to main content

About the author

Roland Thomas

Associate Director | Corporate Development

Roland is an Associate Director in Thomas Murray’s Corporate Development team. He joined Thomas Murray in 2018 with responsibility for group strategy, partnerships and corporate finance. More recently, Roland’s role has focused on establishing Thomas Murray’s cyber risk business, starting in 2021 with the launch of our Orbit Security platform, and the development of our expert cyber risk consultancy. Roland has a BA in English Language and Literature from Oxford University.

Unavoidably, higher education institutions have a greater number of vulnerabilities – that is, a bigger attack surface – than almost any other kind of organisation.

Ransomware attacks are on the rise across every sector and industry, but universities are among the institutions singled out by cyber criminals looking for large amounts of valuable personal data. When this is coupled with a huge attack surface, it’s clear why almost 30% of all cyber incidents in the higher education sector over the course of 2021/22 were ransomware attacks.

But why are university attack surfaces so large? And what do threat actors really hope to gain by focusing on academic institutions?

A university doesn’t know where its weak points are

One of the first problems most universities should deal with is one they don’t even know that they have.

Unmaintained, dormant websites are littered across the networks of higher education bodies. As early adopters of the worldwide web, universities have unusually large numbers of these defunct websites, which are often relics of specific academic projects.

This is not just a legacy problem. New sites will be cropping up around a university’s domain network all the time, only to be abandoned in turn. Even while these sites are actively maintained, the sheer number of them acts as a magnet for data breaches.

It is not just the research data and personal information lying around in these neglected corners of the network that pose an issue. As unpatched security and PHP software decays, these sites effectively become welcome mats for cyber criminals looking for even more current (and lucrative) data assets.

New developments, like campuses reliant on the Internet of Things and departments researching quantum computing, create new areas of risk exposure. Add into the mix siloed teams working in isolation from each other, and it becomes a perfect storm of vulnerabilities. For example, in 2020 Michigan State University paid out more than US$1m in recovery costs after a ransomware attack enabled by a communication breakdown between one of its departments and its central IT operations team.

With automated network monitoring, like that provided by Orbit Security, you can improve your attack surface discovery and management. Orbit will rapidly identify your public-facing IT infrastructure, and ensure that all of your teams are working with accurate, real-time threat intelligence.

A happy hunting ground

Threat actors are attracted to the education sector for a number of reasons, but higher education organisations are most attractive. One reason is that students are the worst…at spotting scams. It’s estimated that 70% of all breaches in the education sector begin with a humble email.

This is a major concern. Given the rapid advances in AI, even seasoned professionals are having trouble spotting phishing scams and other forms of social engineering. But ease of access is not all that makes your institution so irresistible to threat actors.

In general, there are three typical motivations for cyber criminals:

1. Money

No surprises here – financial reward is top of the list for most cyber criminals. Ransomware attacks levelled against universities yield the best results, because universities rely on their reputations to attract students and remain profitable. A university perceived as having weak cybersecurity measures puts its reputation at risk, and threat actors weaponise this fear by encrypting their victims’ files and literally demanding a ransom to restore access. These days, cyber criminals don’t even need to be particularly tech-savvy to pull this off, thanks to the proliferation of Ransomware as a Service (RaaS) outfits like Black Basta.

A slightly more refined version of the financially-motivated hacker will go straight after the university’s payment systems, sometimes by spoofing accounts payable to divert funds from unsuspecting students. 

2. Information

Once in possession of the kind of sensitive, personal information that universities keep about their students, faculty members and suppliers, there is no end to the damage that a threat actor can do.

Stolen identities (comprised of everything that a university would be expected to hold about its student body, from names and addresses through to medical histories and payment details) can be traded on the Dark Web for large sums, but financial gain is just the tip of the iceberg.

A politically or ideologically motivated threat actor, for example, could falsify or destroy research data. They could also interfere with research in progress, or leak information.

3. Malice

This one is difficult to categorise, as there is often no ‘why’ behind a DDoS (Distributed Denial of Service) attack – unless it’s to keep IT security teams frantically busy while mischief is carried out elsewhere.

A DDoS attack is essentially a blitz-style assault on a network from multiple directions at once, with the aim of overwhelming the network to the point of temporary or permanent collapse. This makes them a favoured tactic in cyberwarfare, and universities are an obvious target because of the vital role they play in the economic, political and cultural life of society.

Our Solution: Orbit Security

Instead of juggling multiple open-source and paid-for tools, Orbit Security is a single source of threat intelligence that automatically and continuously discovers your attack surface, monitors for breaches, vulnerabilities and misconfigurations, and recommends priorities for your remediation roadmap.

  • Discover your attack surface using Orbit Security’s proprietary Network Footprint Discovery ML algorithm. From a single parent domain, we will discover all your interconnected infrastructure to a high degree of accuracy, regardless of who manages it.
  • Analyse the threat intelligence assessments provided for every domain and sub-domain in your infrastructure, or view your risk exposure aggregated by the six threat categories in our methodology: Breach, Configuration, Mail, DNS, HTTP, SSL/TLS.
  • Mitigate risks according to clear priorities set out in Orbit Security’s assessments, improve your security posture, monitor your third parties and report with confidence to your board.

Reporting is essential to any IT security team, and speaking senior management’s language is crucial. We help by providing off-the-shelf reports:

Management reporting

Our cyber security ratings present complex information in a way that’s easy for both stakeholders outside your team and senior management to understand, allowing you to communicate clearly and effectively what your security pain points are and what resources you need to address them.

Vendor risk reporting

You will be instantly notified if one of your third parties has its security rating downgraded. Thomas Murray will engage with them at your request to provide free and full access to their own threat intelligence assessment, improving the security of your entire ecosystem.


Orbit Security

Orbit Security

Security ratings for enhanced attack surface management and third party risk. Monitor for breaches and vulnerabilities that could be exploited by threat actors.

Learn more

Contact an expert

Robert Smith

Robert Smith

Head of SaaS Sales and Customer Success 

Roland Thomas

Roland Thomas

Associate Director | Cyber Risk