As a college leader there are many concerning issues to consider, including the pressure on funds, doing the best I can for staff and students and keeping up with ever-changing shift in government policy. But right up there on my list of priorities is cyber security, particularly protection of the college network and the countless online systems which depend upon it.
The national research and education network, Janet, is central to everything we do, so losing that connection would be a disaster: pretty much everything would grind to a halt.
Just imagine – no email, no admin or finance systems, no wifi or internet, no virtual learning environment and no access to learning resources. There’s also a risk that students could lose their work and we’d have to revert to a style of teaching we’ve taken years to modernise. Last, but by no means least, it could be a PR nightmare.
Students don’t hang about when something like this happens. There’d be no hope of keeping such a huge problem quiet, since students used to smartphones and 24/7 internet access will be quick to vent on social media, just as soon as they can get connected. Their comments are bound to be picked up by the media, and your comms team will be doing their best to limit the reputational damage.
Then there’s the obvious disruption and loss of productivity for the duration of outage, not to mention the cost of extra personnel hours to deal with the clean-up and repair. There is some research which puts the cost of a network outage at around £3,300 per minute, but I’d rather not think too much about that! Instead, we recognise something like this is avoidable and my advice is to concentrate on preventative measures, which are expensive, but still cheaper in the long run.
However, I know cyber security isn’t always a priority for college leaders, and that must be a frustration and a worry for staff in many colleges who realise that it doesn’t pay to skimp on this issue.
For colleges like Forth Valley, which are thinking about upgrades to digital systems or infrastructure, it’s important to consider cyber security as an integral and inter-dependent part of all college systems. A college-wide strategy sets clear goals and outlines how you’re going to achieve them, but for this to work effectively, buy-in from senior decision-makers is essential.
At Forth Valley College, we have recently launched a creative learning and technologies strategy, with six “ambitions”. One of these is that our IT infrastructure is safe, secure, robust and agile enough to embrace changing needs and practices. This places cyber security at the heart of both our strategy and our thinking.
As part of this strategy, and as we move into a new headquarter campus, we are planning to re-invest in our infrastructure, ensuring that we take advantage of advances in technology.
During this process, many companies are keen to talk to us, and tell us how good their products are. Getting good and, crucially, impartial advice can be tricky, and potentially costly if you go down the private consultancy route. This significant role is performed for us by the sector’s not-for-profit technology solutions organisation, Jisc, which acts as both an impartial and critical friend.
We have worked closely with Jisc for some time and benefit hugely from its advice and guidance. Staff on the Janet Network computer security incident response team (CSIRT), for example, are always available to help us deal with security problems. And our IT staff are often signposted to Jisc experts, who in turn may put us in touch with other further education institutions which can demonstrate best practice on projects that are already in place and we can emulate or learn from.
Steps you can take
As a result, we know what we must do to keep our staff, students, network and systems safe. If you’re not sure what a good cyber security strategy looks like, contact Jisc, check out the National Cyber Security Centre website, or go through the following check list:
What are the risks?
Start with a risk assessment. What are you trying to protect against? Criminal gangs, disgruntled students and staff, 'hacktivists'? Does your institution have relationships with organisations or industrial partners that might make you an attractive target? And where are your biggest vulnerabilities?
Put measures in place to defend the network perimeter, and to filter out unauthorised access and malicious content. Monitor and test these security controls. Segment your network so if one machine gets infected with malware you limit the ability for it to spread across the whole institution.
Produce security policies for all users clearly setting out acceptable and secure use of your systems. Maintain awareness of online security risks by providing ongoing training for staff and students, covering on-campus and remote access.
Put in place anti-malware defences such as anti-virus software, end-point protection solutions. Make sure they are turned on and kept up to date.
Make sure you know what software and hardware you have in place, so you can easily and quickly update as soon as new security patches are released.
Managing user privileges
Not everyone needs full admin access, so only provide privileged access to those who need it.
Accept that bad things will happen, and encourage a culture where people know how to report things that seem suspicious. Set up protocols so everyone knows what to do in the event of security incident and practice it. Know who to call if you need help when you are attacked.
Establish a monitoring strategy and produce supporting policies. Continuously monitor all systems and networks. Analyse incident logs for unusual activity that could indicate an attack.
Join CiSP (Cyber Security Information Sharing Partnership) and encourage your staff with responsibility for cyber security to network with peers. Make use of existing capabilities. For example, if you teach cyber security courses, encourage those students to become security champions/ambassadors for others. Jisc members will be automatically plugged into its sector-specific intel sharing system.
Set the standard
Once the basics are in place, aim to reach the government’s Cyber Essentials or Cyber Essentials Plus standards. These provide assurance that you are on right track and can demonstrate to stakeholders that you are cyber security aware.
Finally, remember that the threat landscape is ever changing, so it’s important to regularly review and evolve your cyber security strategy and to adopt a digital infrastructure that can evolve to accommodate the latest technology. At the end of the day, the principal and/or chief executive must understand the risks and responsibilities of cyber security; ultimately, it’s their job to ensure the cyber safety of their college, their data and their people.