Cybersecurity remains a critical issue that universities must face
Statistics show that universities are getting better at defending against and preparing for cyberattacks, but much more needs to be done, says Heidi Fraser-Krauss
It’s no surprise that our latest cybersecurity survey shows that universities cite ransomware as the top threat this year. There’s been a huge spike in this type of attack against our sector, with the number of incidents in the first half of 2021 surpassing the total in all of 2020. It’s fair to say that it’s no longer a question of whether an institution will face a cyberattack, but when.
Jisc and partner agencies including the National Cyber Security Centre have, for some time, been advising tertiary education providers on how to defend themselves. Even so, devastating attacks continue − systems are crippled, data are lost and stress levels soar for staff and students alike. Recovery can take months and cost millions.
It’s vital that we work together to reduce risk and strengthen security, and it’s essential that senior leaders get involved. Jisc’s role is to provide threat intelligence and guidance and protect the national research and education network, Janet, on which our members rely.
- Secure and transparent use of student data
- Cybersecurity in online learning
- Running safe and secure online meetings and calls
Vice-chancellors and boards are responsible for ensuring there is protection in place for the cyberspaces within their institutions, but our survey suggests that not all senior leaders are as engaged as they need to be.
Although 86 per cent of higher education institutions (HEIs) regularly report on cybersecurity risks and resilience to their executive board, and a similar percentage report that cybersecurity is a strategic priority at their university, this still leaves a significant minority where this is not the case.
These institutions are unlikely to have sufficiently robust processes and technical solutions in place to stop or mitigate an attack when it happens − and very unlikely to have recovery plans.
There is no silver bullet for this issue. Reducing the risk is multilayered and requires a range of interventions. We need ongoing government support for critical infrastructure, financial investment from the sector in specialist staff and services and leadership from senior teams to create the conditions to enable change to happen within their institutions.
Given the financial implications of the pandemic, investment will be a challenge, but it’s likely to be substantially cheaper than the devastating impact of a significant and sustained system outage and/or data breach.
There’s no doubt that recruiting skilled security and IT staff is difficult because of the UK’s technical skills shortage. While the government is tackling the skills gap in several ways, including rolling out free courses in STEM subjects such as cybersecurity, the public sector cannot easily compete with the much higher salaries offered by commercial organisations.
Remote or hybrid working policies will help expand the pool of candidates beyond geographical boundaries, but attracting and retaining the right people will remain a problem for the sector.
There are effective steps universities can take to help protect themselves in terms of processes and services. We encourage all senior teams to engage with their technology leaders to ensure these things are happening in their institutions − noting that significant investment may well be required to put them in place:
Vulnerability management and patching procedures are essential for all systems, with priority given to critical and externally accessible services.
Segmenting and isolating all critical service infrastructure helps prevent attackers who gain access to one system moving on to others.
Implementing segregated central logging and monitoring of critical systems enables early warning of potential problems and will help in incident investigations.
Ensuring backups are segmented, secured and tested regularly is paramount, as is frequently rehearsing incident response plans and procedures. Practice won’t make security perfect, but it will ensure that your response in the event of an attack is effective and that you can recover as quickly as possible.
Controlling system access is vital too. Only those people who need access should have it. Multi-factor authentication (MFA) has a significant role to play in controlling system access more widely and, therefore, reduces the risk of a successful ransomware attack.
There has been a sharp rise in the deployment of MFA during the pandemic, but it’s not yet in place across the board. We recommend that it’s rolled out to all systems, all staff and all students. Our survey shows that 87 per cent of HEIs are now implementing MFA for some or all staff (up by 15 per cent on 2020) and 49 per cent have it in place for some or all students (an increase of 27 per cent on 2020).
Similarly, security awareness training is a key tool in preventing security incidents caused by phishing and other “human errors”, which the survey acknowledges as the second and third top threats this year, behind ransomware.
To help underpin knowledge-sharing and maintenance, we advocate mandatory training for all. The survey reveals this to be an opportunity area for the sector, with 73 per cent of universities running compulsory training for staff, but only 9 per cent insisting that students take a course.
Continuing the trend of the past five years, perceptions of cybersecurity protection are not high in HEIs, with only 17 per cent (16 of 93 respondents) scoring themselves at 8 or more out of 10. The mean score is 6.3.
So, while the latest stats show the trajectory is heading in the right direction, we believe, as many of you will too, that more could be done. And Jisc is here to help.
Heidi Fraser-Kraus is CEO of Jisc.