Universities should test their cyber defences - before someone else does
Academia is the top target for ransomware attacks, but there are practical steps that institutions can take to bolster their cyber security
Recent high-profile cyber attacks have raised concerns in the UK research and education sector that this may signal an oncoming wave of similar incidents. And, if it does, what can institutions do to reduce the risk?
While universities have made good progress in developing processes to manage security-related risks, the threats are increasing and there is much more to be done.
Cyber security has never been more critical.
The good news is that there are practical steps that institutions can – and should – take to bolster their cyber defences, as well as a wealth of resources, advice and tools at their disposal to help them make the necessary changes.
Academia is top of the list for ransomware attacks
The most acute and pervasive threat against which all institutions should take action to protect themselves is ransomware. Between September 2022 and August 2023, the National Cyber Security Centre (NCSC) received 297 reports of ransomware activity. Of those, 50 came from academia – far ahead of the manufacturing sector (28) and IT (22).
Hackers aren’t choosy about their victims. It’s not that they deliberately target the research sector, but the essentially collaborative nature of universities and their extensive digital footprints significantly increase their exposure to cyber risks. Add to that limited budgets, skills and resources, and the implications are clear.
As well as incessant speculative attacks by have-a-go opportunists, we’re seeing an increase in more serious incidents that originate from organised criminal groups. These gangs offer ransomware-as-a-service on a franchise business model to smaller groups or individuals who pay an agreed percentage of the profits as commission.
Any data a hacker can extract has value. Criminal groups are always looking for new ways to monetise the data they steal, trying to extort a ransom payment for unlocking encrypted data, threatening to release sensitive data, or selling on to other gangs to use for more targeted phishing emails. Our consistent recommendation is never to pay any extortion demand: doing so can incur heavy penalties.
Be better prepared
In a connected community like the UK higher education sector, every institution has a part to play in combatting this growing threat. The interdependence and interconnectedness of the sector means a failing at one establishment can have implications for many others, so it is imperative that individual organisations account for the risks they face and the criticality of the functions for which they are responsible.
All institutions should regularly test all aspects of their preparedness. Organised exercises are essential for ensuring an effective response to cyber incidents: they provide a safe way to test your infrastructure, policies and procedures, and allow appropriate corporate governance to be put in place, along with an incident command structure that’s ready for immediate mobilisation.
So a key recommendation for any university that has not recently undertaken a simulated cyber incident exercise is to do so as soon as possible.
Afterwards, everyone across the organisation knows exactly what they need to do in the event of a cyber security attack.
Change the cyber culture
We have to be prepared to change how we do things if we are to foster a positive culture of awareness where security is on everyone’s radar.
Security must be embedded across all elements of an institution's culture and working practices: we need to identify more effective ways for people to work without putting themselves, their colleagues or their institution at risk.
People should be encouraged and praised for reporting any security issues and concerns. A positive, no-blame security culture needs to be engendered from the top down, balanced by clearly communicated and understood expectations around behaviour, acceptable use and negligence.
We must also work to enable digital transformation by ensuring that every institution’s digital infrastructure is secure by both design and default. Legacy systems are difficult and expensive to protect, and only by investing now can we start to reduce the ongoing support and maintenance costs associated with looking after them in the future.
Create a more effective cyber security ecosystem
We all need to do more sharing – of intelligence, of lessons learned, of best practice.
While the sharing of information on cyber security incidents and data breaches can be a sensitive issue, sharing intelligence about risks, threats, remediation approaches and lessons learned among the community is an essential component of an effective security ecosystem.
Increasingly, cyber communities are providing a forum for peer exchange of knowledge and proactive horizon scanning. A recent government report, Cyber security breaches survey 2023: education institutions, noted that “higher education institutions in particular highlighted a culture of sharing information and learning with each other, with networks like the Jisc cyber security community group facilitating this sort of support and guidance.”
A great example of collaboration across the sector is the report new guidance for the higher education sector by Universities UK (UUK), the National Cyber Security Centre (NCSC) and Jisc, which outlines the main threats facing the sector and sets out leaders’ responsibilities to understand and mitigate these risks.
A longer version of this article first appeared in Research Fortnight, Feb 14 2024