Cybercrime is high on the political agenda and is attracting considerable government investment, but are universities and colleges doing enough to protect their data and reputation, not to mention their staff and students?
The increasing number of cyber threats reported in the UK1 aren’t just newsworthy, they’re also very real.
National Security Strategy
Given this increase, it’s not surprising that the government’s 2016 National Security Strategy reaffirmed cyber threats as one of the most significant risks to UK interests.
The strategy comes with a significant investment of £1.9bn over five years to “support work to keep the UK protected from cybersecurity attacks”, including £860m for education and research to provide knowledge and skills in cybersecurity for the future workforce.
In addition, the government has published a green paper on its industrial strategy, which crucially, for the cybersafety of the education sector, includes further investment in digital infrastructure and scientific research.
Janet network security
Used by almost all universities and colleges and research establishments, the high-speed Janet network, developed and operated by Jisc, is the UK’s national research and education network. It is, therefore, crucial to the sector and a major part of the UK's critical infrastructure. To maintain its health, we help our members (universities and colleges and researchers) secure their cyberspace as well as protecting ours.
No network, however, is infallible. Our computer security incident response team (CSIRT) sees many types of attack on Janet daily. The attack we faced on our own infrastructure in December 2015, which affected the network for a total of six hours over an eight-day period, marked a change in hackers’ tactics and we accelerated our planned enhancements in the Janet network.
The first part of the system upgrade went live on 4 October 2016, but between that date and 30 March 2017, Janet was subject to 583 attacks across 153 organisations.
Protecting your organisation
Nothing we do will ever stop cyber-attacks completely, but if our members continue to focus on managing risk, detecting vulnerabilities and patching systems regularly, breaches can be detected and fixed quickly.
Implementing cybersecurity controls to protect systems seems obvious, but can be expensive, with return on investment difficult to quantify. But don’t underestimate its importance; the threat landscape is increasing and, with it, the requirement for assurances that data is secure.
An organisation that practices good risk management not only protects its reputation, intellectual property and data, but it will also offer its customers a measure of assurance, making them attractive to do business with.
Current and emerging technologies present many opportunities for new ways of learning and collaborating, but universities and colleges must also meet the associated challenge to ensure their learners behave safely and responsibly in the digital space.
Safeguarding and the Prevent agenda
There are several safeguarding measures to consider, with Prevent training for staff the political hot potato at present, and in the spotlight again following the terror attack on Westminster earlier this month. Designed to detect and tackle extremism in its infancy, Prevent is part of the government’s anti-terrorism strategy, although it is under review at the moment.
In addition, education institutions should install a web filtering system to help safeguard users from inadvertent exposure to illegal or inappropriate material. It’s also a good idea to educate users to be aware of phishing emails to defend against threats such as ransomware and compromised accounts.
Internet safety policy
Finally, it’s worth developing (and regularly reviewing) an internet safety policy that takes into account current technologies and social media. Under this policy, be clear about what is expected of staff and students and deliver relevant training.
You may want to cover areas like the legalities of copyright and music downloads, plagiarising content from the web, explicit material, and online bullying.
My top five tips for maintaining cybersecurity:
- Identify your organisation’s critical assets or key information and assess the risk of exposure of which would have a major impact on the organisation
- There's little point investing in securing your devices, networks, and services if you don't maintain and enhance their cybersecurity throughout the period that they are deployed
- The most important activity to prevent common cyber attacks is to keep your technology up to date, and to apply the latest security patches as they're made available
- Cybersecurity mitigations will not be infallible; occasionally attackers will be successful. Taking steps to ensure that you can detect when cyber attacks have occurred (and knowing how to quickly recover from them) will pay dividends in the long run
- It is essential that you always back up your important information and have a plan for recovering from a system failure. An attacker could crash a network or computer's operating system, or data may be corrupted or wiped out by a hardware problem
- 1 The Office for National Statistics’ latest annual crime report states that digital devices were used in 47.4% of all crime in the UK.