UK universities are failing to implement adequate cyber security, putting personal, financial and research data at risk.
According to Dr John Chapman, head of the Security Operations Centre at Jisc (Joint Information Systems Committee), cyber attacks against educational institutions are on the rise, but not enough is being done to counter them.
Writing in a policy note for the think tank Hepi (Higher Education Policy Institute), Chapman revealed the extent to which universities are currently experiencing cyber attacks. During 2018, 173 higher education providers sought help from Jisc’s Computer Security Incident Response Team – 12% more than the previous year.
As well as a rise in DDoS (distributed denial of service) attacks, institutions were also increasingly being targeted by phishing and spear phishing attempts. In many cases, these were state-sponsored attacks, designed to steal research data and intellectual property.There were also an alarming number of DDoS attacks perpetrated by insiders – most likely disgruntled staff of students.
Despite there being an obvious problem, the response from universities has been inadequate. Jisc surveyed IT and cyber security staff at various higher education institutions and found that only 15% would rate their own organisation at eight or more out of ten for their ability to protect themselves against breaches. The average score was just 5.9.
Furthermore, as part of a penetration test, Jisc found that 100% of spear-phishing attempts at a university were successful.
That is terrifying. Universities handle vast amounts of personal data, for students, staff, visitors and more. Plus the theft of research data can have real, detrimental consequences for everyone.
So why the low score?
“The reasons given for this relatively low figure include a lack of dedicated staff and budgets and a lack of policies, suggesting senior leaders are not taking the issue seriously enough.”
If alarm bells aren’t ringing at this point, they should be. It is, after all, often senior leaders who are targeted by cyber attacks such as spear-phishing (or ‘whaling’ if they’re important enough). As well as being high-value targets, these people are relatively easy to learn about, because typically their information will be available on the university website or their LinkedIn profiles.
There is, Dr Chapman argues, a tendency for senior people to regard cyber security as the sole responsibility of IT staff, even though cyber risks affect everyone and need to be addressed right across the board – including at management level.
“Cyber risk,” Dr Chapman says “cannot be delegated away from the governing body, and the executive management needs to be held accountable for ensuring that informed and appropriate decisions are being made which meet or exceed the expectations of any organisation's stakeholders – and the law.”
Without the full support of senior decision makers, who, of course, generally control the purse strings, IT and security providers and staff are unnecessarily hindered.
Of course, personally responsibility also has a massive role to play. Every individual within an organisation needs to be aware of cyber risks and how to act to minimise their impact. But that's a matter for management as well, because it may require coordinated educational campaigns, which they will likely need to fund and help get off the ground.
There are, as you might have already surmised, lessons to be learned well beyond the education sector. Yes, universities have certain requirements that make their cyber security demands more complicated, including a need to be open while also being secure, but in many ways they operate like normal businesses.
Just like universities, then, businesses need to ensure that senior decision makers are involved in cyber security matters and that everyone in their organisation is educated about cyber security. They also need to challenge the complacent attitude of assuming cyber security is only the IT department’s problem.
If they can't do that, then it may be time to go back to school.