Security researchers from Jisc, a Government-funded agency which provides universities and colleges with digital support, were able to penetrate the universities’ defences within the two-hour time-frame 100 per cent of the time.

The report said that universities are not doing enough to protect themselves against cyber criminals, and urged them to take immediate action.

Dr John Chapman, head of Jisc’s security operations centre and the author of the report, warned it was critical to build robust defences at universities in order to avert a “potentially disastrous” data breach, or even an entire network outage.

“Universities can’t afford to stand still in the face of this constantly evolving threat,” he said. “While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment.”

The report also warned that phishing attacks against students are becoming more sophisticated and have increased within UK institutions. Among such attacks include scams which falsely offer free grants to students, or ask them to update their bank details so that loans can be paid. “Spear phishing” attacks – where an email appears to have been sent from a trusted sender in order to convince people to disclose confidential information – are also becoming more common, the report added.

More than 1,000 cyber-attacks were detected against 241 education and research institutions in the UK last year. As well as students being tricked to hand over money, hackers could also turn their attention to universities’ highly valuable research data.

“Universities hold masses of data on sensitive research, on the inventions of the future and on their staff and students, but some of it is not properly secured,” said Nick Hillman, director of HEPI (which published the report with Jisc).

“The two main functions of universities are to teach and to research. Students like having their personal data used to improve teaching and learning. But this support is conditional and is unlikely to survive a really serious data breach. Meanwhile, future UK economic growth is highly dependent on university research. This provides valuable information that a few unscrupulous foreign governments are keen to access,” he said.

The experts said regulators should set minimum requirements for cybersecurity at UK institutions in order to tackle the problem.

Professor David Maguire, chairman of Jisc and vice-chancellor of the University of Greenwich, added: “Universities are absolutely reliant on connectivity to conduct almost all their functions, from administration and finance to teaching and research. These activities accrue a huge amount of data; this places a burden of responsibility on institutions, which must ensure the safety of online systems and the data held within them.”

In January 2019, a GCHQ programme designed to encourage young people to develop their cybersecurity skills had trebled its intake since the programme run by the National Cyber Security Centre (NCSC) was launched in 2016.

Security researchers from Jisc, a Government-funded agency which provides universities and colleges with digital support, were able to penetrate the universities’ defences within the two-hour time-frame 100 per cent of the time.

The report said that universities are not doing enough to protect themselves against cyber criminals, and urged them to take immediate action.

Dr John Chapman, head of Jisc’s security operations centre and the author of the report, warned it was critical to build robust defences at universities in order to avert a “potentially disastrous” data breach, or even an entire network outage.

“Universities can’t afford to stand still in the face of this constantly evolving threat,” he said. “While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment.”

The report also warned that phishing attacks against students are becoming more sophisticated and have increased within UK institutions. Among such attacks include scams which falsely offer free grants to students, or ask them to update their bank details so that loans can be paid. “Spear phishing” attacks – where an email appears to have been sent from a trusted sender in order to convince people to disclose confidential information – are also becoming more common, the report added.

More than 1,000 cyber-attacks were detected against 241 education and research institutions in the UK last year. As well as students being tricked to hand over money, hackers could also turn their attention to universities’ highly valuable research data.

“Universities hold masses of data on sensitive research, on the inventions of the future and on their staff and students, but some of it is not properly secured,” said Nick Hillman, director of HEPI (which published the report with Jisc).

“The two main functions of universities are to teach and to research. Students like having their personal data used to improve teaching and learning. But this support is conditional and is unlikely to survive a really serious data breach. Meanwhile, future UK economic growth is highly dependent on university research. This provides valuable information that a few unscrupulous foreign governments are keen to access,” he said.

The experts said regulators should set minimum requirements for cybersecurity at UK institutions in order to tackle the problem.

Professor David Maguire, chairman of Jisc and vice-chancellor of the University of Greenwich, added: “Universities are absolutely reliant on connectivity to conduct almost all their functions, from administration and finance to teaching and research. These activities accrue a huge amount of data; this places a burden of responsibility on institutions, which must ensure the safety of online systems and the data held within them.”

In January 2019, a GCHQ programme designed to encourage young people to develop their cybersecurity skills had trebled its intake since the programme run by the National Cyber Security Centre (NCSC) was launched in 2016.