Results of Jisc’s fourth annual survey of cyber security in the education and research sector continue to demonstrate the increasing efforts made to combat cyber crime.
There are positive signs that the levels of expertise, technical controls and training at universities and colleges are rising, year on year, showing that providers are taking cyber security seriously.
This year, for example, the vast majority - 82% of higher education (HE) respondents and 87% of further education (FE) respondents - indicate that cyber security is a priority within their organisation.
It’s important though, to set these gains against an ever-evolving threat environment. Cyber criminals are flexible and respond quickly to exploit social or economic factors.
There are many instances of phishing scams taking advantage of the fear around COVID-19, freshers are commonly a target for scammers, as the government has recently warned, and the sector has recently suffered a spate of ransomware attacks.
Threats and training
This year’s survey, the results of which have been distributed to Jisc members, was issued in June/July 2020, while the sector was in lockdown and before the ransomware attacks in late summer. And yet ransomware has, quite rightly, still emerged as a prime threat.
As in the 2018 and 2019 surveys, phishing/social engineering is the top concern identified by both HE and FE respondents, with 72% of HE institutions and 74% of FE selecting this as the top-ranked threat.
Ransomware/malware and unpatched security vulnerabilities are ranked second and third by both HE and FE.
Among ‘other’ threats listed, human error and accidental data breaches by staff were most mentioned, again reflecting the responses from 2019. This suggests that implementing controls against phishing alongside training and awareness raising among staff/students is still a key priority for organisations.
Mandatory training for staff has increased for both FE and HE providers over the four years we’ve been running the survey – up from less than half to more than 80%. Colleges lead the way when it comes to compulsory security training for learners, with 30% insisting on it this year compared to just 8% of universities.
There has been a big jump in the proportion of organisations achieving cyber security certifications. Only 21% of HE and 7% of FE had Cyber Essentials in place in 2017 compared to 69% and 49% respectively this year; 8% of HE gained Cyber Essentials Plus in 2017 compared to 31% in 2020.
No FE organisation reported having Cyber Essentials Plus in place in 2017, while 19% have earned it in 2020 and a further 36% are on their way towards it.
This progress has been largely driven by government policies and funding requirements. Cyber Essentials is already a prerequisite for organisations hoping to win government contracts; achieving certification was a key action in the Scottish cyber resilience public sector action plan and it is also a requirement for those funded by the Education and Skills Funding Agency in 2020/21, while Cyber Essentials Plus will be a requirement from 2021/22.
Expertise and benchmarking
The majority (86%) of HE organisations report having dedicated cyber security staff in 2020 versus 69% in 2017, while the figures for FE are 28% this year compared with just 3% in 2017.
Security in colleges has tended to be carried out by IT staff wearing multiple hats, so it is encouraging to see the growth in FES providers with dedicated security staff.
Almost all universities (90%) use third-party services to test their defences, with almost three-quarters using some form of penetration testing. At 68%, these tools are less commonplace in FE organisations, although over half (53%) report using penetration testing.
The effects of COVID-19
This year’s survey was distributed in June/July 2020, while the sector was in lockdown because of the pandemic. Beyond the survey results, my team’s regular communication with security staff at colleges and universities indicates that members have largely risen to the challenge of supporting the rapid shift to online working.
However, survey respondents said workload for IT and security personnel had increased, for example to expand virtual private network (VPN) capacity and managing the security of devices remotely.
While some IT projects were delayed due to campus closure or changing priorities, both FE and HE organisations report that security-related projects, including implementation of multi-factor authentication, had been brought forward or instigated.
Because cyber security is seen as a priority, minimal staff were furloughed, and additional security controls or monitoring were necessary. There are also mentions of increased awareness raising and training for staff and students.
Impact of attacks
Cyber attacks can be catastrophic events, potentially causing weeks of disruption and incurring heavy costs, not to mention the reputational damage. Among the most common impacts reported to the survey were that attacks stopped staff from working and required additional staff time and extra money to recover.
Some organisations also report that attacks had led to investments in extra security controls, but prevention is always better than cure and there is no room for complacency.
Implementing robust technical controls and processes is certainly essential to defend against threats, but is not a cover-all solution. Security is a board-level responsibility and should be embedded across organisations.
To hear more, book your place at Jisc's free online security conference, 3-5 November 2020. Dr John Chapman will be speaking about the cyber security posture survey at 13:00 on 3 November 2020.