Promoting cyber security is a priority for any senior leader. We live and work in an increasingly digitally connected world, and technology has become almost ubiquitous in teaching, learning and business.
While we should embrace technology, we owe it to staff and students to keep our colleges and universities and their data, as secure as possible, in the face of the growing threat from cyber criminals.
As vice-chancellor of the University of Staffordshire and chair of the audit and risk management committee on the board at Jisc, I’m all too aware of the pressure on senior leaders to build robust cyber security defenses.
Cyber attacks are increasing
As times have changed, so has technology, and this digital transformation has opened up opportunities for cyber crime.
According to the National Cyber Security Centre, four in 10 businesses and a quarter of charities report having cyber security breaches or attacks in the last 12 months. These statistics are a sobering reminder of the risk. It’s not a case of if your organisation will be attacked, but when.
Governance should cover security
It's important to understand that, like any other organisational function, cyber security requires governance.
Jisc's board recognises the heightened security risks in the cyber world and we want to ensure everyone across the organisation understands the importance of cyber security.
In support of this, we commissioned an audit of Jisc against the recommendations set out in the BS 31111 standard: cyber risk and resilience guidance for governing bodies and executive management.
The audit took place in January 2021 with a series of meetings involving key stakeholders and staff at all levels scrutinising our records and activities. Since then, we have a better understanding of risks across the organisation and senior leaders have driven some key changes:
- The senior team, including the CEO, now sit on the quality and information security management board
- We have created a roadmap in response to the audit's findings, which is regularly monitored and updated
- All laptops and desktop computers are configured to the same standard
Security is everyone’s responsibility
Cyber security is for everyone to take seriously and act on when necessary. It is never about placing blame on an individual when things go wrong.
Robust security is a strategic matter covering technical infrastructure, security awareness training for staff and students, and strong governance.
Cyber security is also the responsibility of all staff, not just the IT department, and IT staff are not the only ones who will have to answer questions in the event of an attack.
Although it's everyone's responsibility, it starts with governance and senior leaders. High-level managers and directors can and should implement good cyber security practices and lead by example.
Prevention is better than cure
It may at first be daunting identifying all the relevant expertise and putting in the time and funds towards your organisation’s cyber security, but don’t make the mistake of thinking an attack is unlikely. Acting to prevent a potentially hugely disruptive and damaging attack will be much less time-consuming and cheaper in the long run.
When the average impact of a data breach in the education sector costs a hard-to-swallow £3.1 million, nobody can afford to be complacent. You never know when you may get attacked and how severe the impact could be.
Liz Barnes is vice chancellor and chief executive at Staffordshire University and is a Jisc board member. Don’t miss her talk about senior board buy in at the Jisc security conference - a free online event (9 – 11 November).