For more than two years, Jisc has been supporting the sector to deal with a sustained increase in ransomware cyber attacks.
Some of these attacks have been devastating, severely hampering affected institutions’ ability to operate, including during the crucial period of clearing and enrolment. Universities have lost data, services have been interrupted and a few have had to rebuild their entire digital estate from scratch at enormous expense.
The prevalence of ransomware and the potential for severe disruption prompted the UK’s National Cyber Security Centre (NCSC) to issue three alerts to the education sector, warnings that Jisc shared and supported with regular information to members.
Yet still our members are suffering. In 2020 there were 15 serious ransomware attacks, with 18 in 2021 and 11 so far this year.
Currently, the sector’s collective cyber posture is mixed, with some institutions better protected than others. The threat of some kind of cyber attack remains high, so it’s important that all colleges and universities are as well protected as possible.
Advice for senior leaders
If the impact of ransomware and other cyber attacks on the sector is to be minimised, vice-chancellors, their senior leadership teams and board members must fully understand their responsibilities around cyber security strategy and governance. And their IT and information security teams must understand the necessary defensive measures.
To help get across this message, Jisc CEO Heidi Fraser-Krauss and I are next week (7 September) talking to vice-chancellors attending Universities UK’s annual conference. We will be describing current threats and risks and offering our continued support and some practical guidance.
For example, the NCSC offers a toolkit for board members, which is meant to answer the question, ‘How do we know what good looks like for cyber security?’.
To complement that toolkit, Jisc has put together a list of 16 questions (pdf) that leadership teams should be asking to check their cyber security posture.
We also want to get across the role leaders must play in supporting a data-centric culture where care, ownership and accountability are as important for digital assets as for rare book collections.
Governance is the key word here: leaders should know where data is stored, who has access to it and who is responsible for its security. Strong security policies should also require minimum standards of data and system security, with any requests for exceptions signed off at the highest level.
What does good cyber security look like?
In short, a strong cyber security posture is a bit like a jigsaw, where each piece is integral to the overall picture. Any missing pieces are weaknesses that attackers can and will exploit. Technical measures, processes and policies, and staff skills must be considered as part of an evolving, multi-layered approach, not in isolation.
For example, the link between cyber services and cyber skills was demonstrated by one university that procured a top-class firewall but suffered a damaging cyber attack because staff didn’t know how to configure it correctly, which rendered it ineffective.
It’s crucial to get the basics right: take advantage of the cyber security services that Jisc offers as part of membership, make sure there’s a patching process, switch on multi-factor authentication, insist on a strong password policy, restrict admin access and segment business-critical systems and back-up servers so if an attacker cracks into the system, they cannot migrate through it and damage can be contained.
All institutions should use firewalls and vulnerability scans. In the absence of in-house resource or expertise, they can consider partnering with a managed firewall service provider or a third party that can monitor the network for incidents and engage penetration testers to help identify weaknesses.
Invest in staff with specialist cyber security expertise, or up-skill less experienced employees. And don’t forget that the entire staff and student body can be another line of defense. With phishing emails still among the most common methods of attack, we advocate mandatory security awareness training for all users.
We also encourage institutions to share their threat intelligence for the benefit of the whole sector. Only by working together will the sector become stronger. By collaborating to share cyber security data, expertise and capabilities, we can create a powerful defensive force.
- Former vice chancellor and chief executive at Staffordshire University, Liz Barnes, explains in this blog, Why senior leaders should champion cyber security
- For the latest cyber security thinking and to network and share experience with peers, register for the 2022 Jisc security conference, which takes place on 7-8 November at the ICC Wales, and on 9 November online