If the answer to that question’s a slightly weary “yes”, you’re not alone. Jisc’s 2019 cyber security posture survey shows that IT and security specialists in both higher and further education organisations believe phishing remains a major threat.
Phishing has been the top threat mentioned in the annual cyber security posture survey for the last three years and Dr John Chapman, head of Jisc’s security operations centre (SOC), says the phishing incidents seen by his team show that members are right to be concerned.
As cyber attacks increase in frequency and sophistication, this is an issue that colleges and universities are working hard to address. For example nearly three-quarters of HE providers have now recruited staff for dedicated cyber security roles and 66% have a strategic cyber security lead – that’s an increase of ten percentage points in the last two years. Corresponding figures are lower in FE, where 11% have dedicated cyber security roles and 38% have a strategic cyber security lead, but they’re increasing here too.
Members are fighting back against the rising threat in other ways. 97% of universities and 75% of FE colleges are now using third party services to help in spotting and managing current and future threats, compared with 66% of universities and 49% of colleges in 2018.
But, despite significant work to bolster cyber defences, some organisations feel less protected than they did last year. Respondents were asked to say how well they feel their organisation is protected against cyber threats, rating it from one to ten, with ten representing ‘very well protected’. The mean score in HE was 5.6 (a drop of 0.3 since 2018) and 5.9 in FE (a larger drop from 7.1 last year).
That’s partly because cyber attacks are more often in the news, but it is also suspected that the increase in security staff has led to a more realistic assessment of an institution’s security posture.
People-related incidents are the second most frequently mentioned threat for both HE and FE, whether that is due to accidents, or students and staff not always following correct procedures because they aren’t aware of them or are resistant to them.
To help with this, Jisc advocates compulsory training for all students and staff. Dr Chapman says:
“We’re pleased that the sector has begun moving in this direction.
“Our first cyber security posture survey in 2017 showed that 48% of universities and 41% of colleges had mandatory training in place for some or all staff, and this rose to 57% and 55% respectively in 2018. Although this year’s figure for HE is now an impressive 81%, the number of FE organisations with compulsory staff training has remained static.
“It’s concerning that far fewer organisations insist on security training for students. In 2017, ten percent of people surveyed in both higher and further education said this training was mandatory for students. In 2018 this figure dropped to only three percent of universities, although there was an increase to 31% in colleges.
"This year, it rose to eight per cent of HE institutions insist on all or certain students taking training, but dropped to 24% of FE providers.”
"While training is an important weapon in the cyber security armoury, it isn’t enough on its own," says Dr Chapman.
“Some phishing emails are so sophisticated that they are almost impossible to distinguish from genuine mail, so it’s essential to put in place technical solutions as well. The National Cyber Security Centre (NCSC) has some detailed guidance about the type of controls to choose.”
More perceived threats
Although phishing and lack of compliance with agreed procedures are seen as the biggest threats, there are others. In HE, the survey found frequent concerns over data breaches, ransomware/malware attacks and patch management, and those responding from FE institutions also mentioned malicious attacks from inside and distributed denial of service (DDoS) attacks.
As an important step towards mitigating such risks, colleges and universities are working in increasing numbers towards Cyber Essentials accreditation.
“This is one of the biggest changes since last year’s survey,” comments Dr Chapman.
"Almost a third of FE and more than 40% of HE institutions say they have achieved this certification – up from four per cent and 14% respectively in the 2018 findings. This rise is likely down to funding requirements, government pressure, contractual obligations and due diligence requirements from research partners asking for formal proof of an organisation’s cyber security posture.”
Jisc is using the survey responses to focus efforts on developing the solutions that members want. So, for example, 95% of HE and 98% of FE respondents said they want Jisc to offer automated reporting of DDoS attacks and the cyber security team is exploring ways to extend the core Janet Network CSIRT service to accommodate this.
The team has also been working on its own ideas, such as deployment of honeypots. It seems this is an area that not many members are currently looking at, but initial feedback shows that it’s an idea worth exploring.
For more information on this year’s cyber security posture survey, its findings and the work Jisc is doing to support members' work on cyber security, don’t miss John Chapman’s talk at the Jisc security conference 2019. See John's session, "Jisc’s cyber security posture survey – how secure are you?" at 2:00pm on Tuesday 5 November 2019 in Newcastle.