Hacking is a growing problem globally and attacks on all organisations, UK universities included, continue to increase. So, what is the higher education sector doing to combat the problem?
A new survey* indicates that universities’ cyber security budgets are increasing rapidly, but investment alone is not enough to tackle the problem.
Raising awareness of threats, what they look like and what to do about them is a key defence in the fight to protect cyber space, and the higher education sector is making good progress on this point. However, there are other difficulties to overcome, too.
Latest research shows that although most universities have information security awareness training for staff, fewer than half train students. Meanwhile, some universities report difficulties in recruiting staff with the right skills and complain there is not enough support for cyber security from senior decision-makers.
These findings are from a survey by Jisc, which operates the UK’s education and research network, supporting up to 18 million users. While individual universities are responsible for their own cyber defence, Jisc’s specialist security team monitors the Janet network and provides services, advice and training to help protect it.
The threat level and how to tackle it
To put the issue into context, latest Jisc figures show that, since October 2016, there were 770 Distributed Denial of Service (DDoS) attacks against 176 different organisations connected to Janet. The unluckiest has been attacked on 59 separate occasions.
Working on the principle that preparation is the key to effective defence, 82% of respondents use outside expertise to test their systems for vulnerabilities, although fewer (51%) use third-party services to gain intelligence about current or emerging threats.
Jisc’s cyber security compliance manager, John Chapman, said: “With the increasing threat landscape, it is becoming more important to identify where vulnerabilities are, keep technology up to date and to apply the latest security patches as they’re made available.”
Social engineering, especially phishing emails, (which may, for example, trick someone into a particular action, or into revealing confidential information), are the most common threats mentioned by survey respondents, all driven by a lack of awareness.
It’s hardly surprising, therefore, that the top cyber security priorities are protection and prevention – and end-user training. The Jisc research found that 83% of universities provide training for staff, which is compulsory in 46% of cases, but only 40% train students and only 8% insist that students take a course.
John Chapman added: “Being more aware of specific threats and improving user awareness can benefit institutions by reducing their exposure to attacks that can have serious implications.”
Why invest in protection measures?
Respondents who felt their university was well protected against cyber-attacks said the issue was taken seriously by management, with the right investment, processes, technology and training in place. They felt able to react quickly to problems, undertook regular audits and, as a result, recorded a low number of incidents.
By contrast, those HEIs who felt they weren’t well protected said cyber security was low on management’s priority list, there was a lack of investment and they had trouble recruiting the right staff.
Using a real example, John Chapman explains how not investing in the cyber security area can be a false economy. He said: “We recently came across a university that had invested in a Jisc automated approach to vulnerability assessment, which meant it was able to understand within a few minutes if any of the systems were at risk to the recent WannaCry attack.
“In turn, this allowed all the IT staff to be stood down from the alert on a Friday afternoon, saving the expense and disruption of working through the weekend to manually check that all systems across the estate had been correctly patched.”
The survey found that 72% of universities had staff dedicated to cyber security and 40% set aside money specifically for cyber security in 2015/2016, which is projected to rise to 58% in 2017/2018. Compared to the level of spending on cyber security during 2016/17, the mean amount is expected to rise by 132% in 2017/2018.
To help universities gauge where they are on the scale of protection, there are several recognised cyber security standards. Cyber Essentials is the most popular certification and 20% of universities have achieved this accreditation already, while 38% are working towards it and a further 29% are considering.
In response to 94% of respondents agreeing this would be useful, Jisc is exploring the possibility of producing a cyber security ranking system for its members (universities, colleges and research establishments). Jisc has already committed to helping members better assess their cyber security position by developing a security audit service.
*The survey was conducted by Jisc between 30 March and 6 June 2017 and received 65 responses from 51 universities.
Jisc is the UK higher, further education and skills sectors’ not-for-profit organisation for digital services and solutions. We:
- operate shared digital infrastructure and services
- negotiate sector-wide deals with IT vendors and commercial publishers and
- provide trusted advice and practical assistance for universities, colleges and learning providers.
For more information, contact the press team: firstname.lastname@example.org