Cyber security attacks have emerged as one of the most significant threats to universities and colleges in recent years.
Informed by my experience of two significant data breaches at the University of Greenwich, where I am vice-chancellor, this blog describes the most significant cyber security risks and offers advice for senior leaders and board members about how to mitigate cyber threats and the potential impact.
The rising threat of cyber security attacks
Many senior university leaders and board members are increasingly worried about the rising threat of cyber security attacks. Ciaran Martin, CEO of the National Cyber Security Centre (NCSC), has clearly stated that cyber security is one of the major business risks to organisations, not least because cyber crime is ubiquitous and growing rapidly.
This is a very serious, highly technical and rapidly evolving topic and, while some university and college leaders are confident they have a high-level executive view of cyber security, many are concerned that they need to know more.
The top risks for educational institutions include phishing, harassment, ransomware, IP theft (piracy), account hacking, credit card fraud and denial of service attacks. How many senior leaders know what these are and what risks each poses to their organisation?
Taking a step back for a moment, universities and colleges are at high risk of such threats because they typically have open, permissive, and highly distributed IT systems. These systems have very large numbers of users and deal with very valuable and sensitive information.
Cyber crime is hard to see and touch, it’s growing fast and universities are especially exposed to its impacts, as the recent publication of a report by the NCSC shows.
My experience of data breaches
As mentioned, I have a bit of experience of cyber security and cyber crime. In 2016, Greenwich had two security breaches that were of sufficient seriousness that they needed to be reported to the Information Commissioners Office (ICO). Although it is clear that the information breaches occurred, there is no evidence that people were directly affected in any material way.
However, the consequences for the university were significant. Firstly, we were fined a substantial sum (£120k, reduced to £96k for early repayment). Secondly, we had to respond quickly to ensure that similar breaches did not occur again. Thirdly, we made rapid changes to digital policy, access and training and restricted rights that inconvenienced and annoyed some people. Finally, we had to upscale our technology, training, insurance, auditing and general awareness, which consumed a lot of resources and directly impacted staff right across the organisation.
In the aftermath of these data breaches we took a number of specific actions:
- Required all staff to undertake General Data Protection Regulation (GDPR) and information security training
- Moved all at-risk IT systems under central control
- Installed addition security software
- Increased the level of password protection
- Undertook penetration testing
- Acquired specific cyber crime insurance cover
- Had an independent audit report
- Added a cyber security risk to our risk register
Similar problems also occur in the corporate world and over the course of the past 18 months, some of the biggest, most widespread, data breaches in the history of the Internet have hit the headlines.
Recent high-profile examples include attacks to Marriott and British Airways (BA). In the case of the BA data breach, some 380,000 credit card transactions were taken and the initial fine was £183m. In the aftermath, BA not only had to deal with the financial costs of investigating the breach, but the cost of additional security (eg penetration testers, consultants, security vendors, public relations and legal advice). BA will also be aware of the reputational and brand damage associated with the breach, and potential litigation.
All this is a major distraction for companies, impacting their overall strategic aims and objectives – something we should all consider when drafting resilience and business continuity plans.
Cyber security: key questions for university and college senior leaders
As a senior leader it may be helpful to consider the following questions when assessing cyber security risks:
- Do you have a good understanding of cyber security threats and their potential impact?
- Have you commissioned an honest and detailed independent assessment of your vulnerability to cyber security threats?
- Have you considered adding cyber security to your risk register?
- Have all your staff been trained in information security and cyber security?
- Do you have a disaster recovery and business continuity plan in the event of a major cyber security incident and have you tested it?
- Do you have cyber security insurance?
It’s also worth reading the NCSC's information for board members.
In summary, it is clear that cyber security is a critical business risk for universities and colleges, so it is vitally important that senior executive teams and governing bodies have a grasp of its significance and take appropriate actions to avoid becoming a victim.