A recent report revealed that “ethical" hackers working for higher education internet service agency Jisc were able to beat the cyber defences of some UK universities in two hours or less. Furthermore, in 2018, 200 institutions recorded more than 1,000 attempts to steal data or disrupt services; so cyber-resilience is clearly a matter of urgency for the sector.
Universities’ attempts to protect themselves must now go beyond new firewalls and software updates. A more soul-searching self assessment of higher education’s exposure to cyber threats is needed to develop resilience strategies that are fit for purpose.
By its very nature, the culture of higher education is collaborative. As a result, universities have a democratic attitude to information. They want to give students, faculty and partner institutions unrestricted access to university resources to support learning and groundbreaking research. This hierarchy of access rights is less common in similarly sized organisations. The trouble is, when you combine an open access culture with large student and faculty bodies, and a significant number of remote server access points, the likelihood of human error causing a significant cyber breach intensifies.
“Spear phishing”, a form of attack highlighted in Jisc’s report, relies on human error and is one of the most common attacks used to target higher education. Hackers send a personalised email, ostensibly from a known or trusted source, to induce targeted individuals to either divulge confidential information, or give them a direct route into an organisation’s system. Once this happens, everything from personal information to university research can be stolen and held to ransom. This means every individual linked to an organisation’s server is a potential security threat – a threat that increases when universities are liberal with access rights.
The climate higher education is operating in makes mitigating this threat more pressing. A university’s financial health is not as certain as it once was, and the fallout of a cyber attack could result in a significant penalty. The £16.4 million fine levied by the Financial Conduct Authority against Tesco for failing to handle a 2016 breach demonstrates how seriously regulators are taking cybersecurity.
Yet, financial penalties aside, the most insidious effect of a cyber breach could be the impact on a university’s reputation. The market for students is more competitive than it has ever been. Universities cannot afford to be known for a high-profile breach where, for example, students’ personal information was compromised.
It would be wrong to argue higher education should sacrifice its open attitude to information access wholesale for the sake of better cybersecurity. It is what makes our universities vibrant, world-leading centres of research. Instead, the sector needs to marry its unique outlook with proactive cyber-resilience strategies that ensure that culture is sustainable, while protecting against threats.
A big part of this is education. Universities need to match the scale of their exposure to human error with a programme that drives home good personal cybersecurity principles to every student and member of staff. It is also sensible for universities to conduct a full audit of server access points to identify weaknesses, paying particular attention to external links.
Universities can improve their own cyber resilience, but they cannot rely on the credentials of those they are connected to: the democratisation of university resources often extends to the students and faculty of partner institutions overseas.
More broadly, while a comprehensive cyber-resilience policy must include proactive measures to identify and minimise risk, there also needs to be an airtight incident planning and response function to limit the damage caused by a breach.
The bottom line is that cyber resilience is no longer the reserve of the IT department, it requires a holistic, organisation-wide approach led by the vice-chancellor’s office and taking in everything from law and regulation, to communications and employee engagement.
The threat posed by cyber criminals will continue to evolve as technology becomes an even more crucial part of university life. It is not outside the realms of possibility for the Office for Students to make a robust cyber-resilience strategy a licensing requirement in the future. If universities get on the front foot now, they will be well placed to protect the open access culture that’s been such a critical component of the UK higher education sector’s success.
Martin Vincent is head of education and a partner in national law firm Weightmans’ CyXcel team, which engages a network of 15 specialist businesses to help organisations build cyber resilience.