Hacking is a growing problem globally and attacks on all organisations, UK universities included, continue to increase. So, what is the higher education sector doing to combat the problem?
A new survey by Jisc indicates that universities’ cybersecurity budgets are increasing rapidly, but investment alone is not enough to tackle the problem.
Raising awareness of threats, what they look like and what to do about them is a key defence in the fight to protect cyberspace, and the higher education sector is making good progress on this point. However, there are other difficulties to overcome, too.
The research shows that, although most universities have information security awareness training for staff, fewer than half train students. Meanwhile, some universities report difficulties in recruiting staff with the right skills and complain there is not enough support for cybersecurity from senior decision-makers.
To put the issue into context, latest Jisc figures show that, since October 2016, there were 770 Distributed Denial of Service (DDoS) attacks against 176 different organisations connected to the Janet network. The unluckiest has been attacked on 59 separate occasions.
Working on the principle that preparation is the key to effective defence, 82% of respondents use outside expertise to test their systems for vulnerabilities, although fewer (51%) use third-party services to gain intelligence about current or emerging threats.
Jisc’s cybersecurity compliance manager, John Chapman, said:
“With the increasing threat landscape, it is becoming more important to identify where vulnerabilities are, keep technology up to date and to apply the latest security patches as they’re made available."
Social engineering, especially phishing emails, (which may, for example, trick someone into a particular action, or into revealing confidential information), are the most common threats mentioned by survey respondents, all driven by a lack of awareness.
It’s hardly surprising, therefore, that the top cybersecurity priorities are protection and prevention – and end-user training. The Jisc research found that 83% of universities provide training for staff, which is compulsory in 46% of cases, but only 40% train students and only 8% insist that students take a course.
John Chapman added:
"Being more aware of specific threats and improving user awareness can benefit institutions by reducing their exposure to attacks that can have serious implications."
Respondents who felt their university was well protected against cyber-attacks said the issue was taken seriously by management, with the right investment, processes, technology and training in place. They felt able to react quickly to problems, undertook regular audits and, as a result, recorded a low number of incidents.
By contrast, those higher education institutions who felt they weren’t well protected said cybersecurity was low on management’s priority list, there was a lack of investment and they had trouble recruiting the right staff.
Using a real example, John Chapman explains how not investing in the cybersecurity area can be a false economy. He said:
“We recently came across a university that had invested in a Jisc automated approach to vulnerability assessment, which meant it was able to understand within a few minutes if any of the systems were at risk to the recent WannaCry attack.
“In turn, this allowed all the IT staff to be stood down from the alert on a Friday afternoon, saving the expense and disruption of working through the weekend to manually check that all systems across the estate had been correctly patched.”
The survey found that 72% of universities had staff dedicated to cybersecurity and 40% set aside money specifically for cybersecurity in 2015/2016, which is projected to rise to 58% in 2017/2018. Compared to the level of spending on cybersecurity during 2016/17, the mean amount is expected to rise by 132% in 2017/2018.
To help universities gauge where they are on the scale of protection, there are several recognised cybersecurity standards. Cyber Essentials is the most popular certification and 20% of universities have achieved this accreditation already, while 38% are working towards it and a further 29% are considering.
In response to 94% of respondents agreeing this would be useful, Jisc is exploring the possibility of producing a cybersecurity ranking system for its members (universities, colleges and research establishments). Jisc has already committed to helping members better assess their cybersecurity position by developing a security audit service.
The survey was conducted by Jisc between 30 March and 6 June 2017 and received 65 responses from 51 universities.