A worrying 92 per cent of higher education institutions identified breaches or attacks in the past 12 months, according to the recently published 2022 Cyber Security Breaches Survey. As I write this, five institutions were in their second week of actively managing the impact of a cyberattack. Such an incident can take days or weeks to recover from, and in some cases many months. The average cost is £3.2 million, according to IBM’s Cost of a Data Breach Report 2021. Can any of you reading this say with certainty that there isn’t a nefarious character lurking somewhere on your network, waiting quietly and poised to attack?
I recently participated in two panel debates on cybersecurity, one at “Ahead by BETT” and the other at the UCISA22 Leadership Conference. Both sessions included chief information officers (CIOs) who had been through a cyberattack and come out the other side – me included. So what have we learned from these harrowing experiences?
- Cybersecurity remains a critical issue that universities must face
- Supporting cybersecurity literacy for workforce-ready graduates
- Cybersecurity in the HE sector – getting the basics right
1. Prevention is better than cure, so be better prepared
I’m sure all of us have a business continuity plan, somewhere, maybe gathering dust. It will invariably include a section on loss of IT. It might actually include a section on recovering from a cyberattack. But when was the last time it was tested? Those plans need a good rehearsal. Get everyone around a table. If you lost everything, where would you start? Is there a clear priority for recovering systems and services? Are you sure you know all the interdependencies? What if your data backup systems were encrypted by ransomware? Ours were.
Few business units really appreciate what having no IT is like. Everyone always assumes that IT will be up and running again soon. Those units must have contingency plans in place to deal with a prolonged outage. Moving services to the cloud may lull you into a false sense of security. Hosted services might not be immune, and if authentication stops working, you might not be able to access them at all.
Be ready with the comms plan and get messages drafted now in the cool calm of normality. How will you communicate with staff and students if the IT systems are down? How will you communicate with each other, especially if you are working remotely? Try to avoid having to use your website home page to get important messages across, otherwise you are sharing them with the rest of the world.
2. Get buy-in from the very top
Cybersecurity is not just a matter for the IT department. Everyone needs to understand what their responsibilities are – at an individual level, at a business unit level and right to the very top. The vice-chancellor, governing bodies and audit and risk committees should have full visibility of cyber risks and mitigation strategies.
A good checklist for senior management is Jisc’s “16 questions you need to ask to assess your cyber security status”.
3. Use the tech and use it well
Most security breaches occur weeks and months before the obvious attack occurs. While there are some sophisticated (and correspondingly expensive) threat detection and protection systems out there, and you should certainly consider investing in them, there are also some very simple steps that must be done.
Ensure that all users (yes, students too) have strong passwords and multi-factor authentication enabled. This is the norm across most online services now, and it should be the norm in universities, too. A show of hands at UCISA22 suggested that less than half had enabled this.
Review your privileged accounts. Do you really need them? After the University of West London’s (UWL) breach, we reduced the number of domain administrators from more than 50 to just a handful. It’s a lot easier to do those now than it is to wait until you have to assume that all accounts have been compromised, forcing a wholesale password reset.
Segregate networks so that if an attacker gets access to one device, they can’t access the whole IT estate. Ensure that systems are properly patched at both a system and application level.
4. Invest now, and don’t wait until it’s too late
While a crisis might help to fund work on cyber improvement plans, don’t wait until it’s too late. The case for investment should be made now. Jisc and Universities UK have been pushing cyber at the door of vice-chancellors. From a media perspective, these attacks are still seen as high-profile and garner significant coverage, resulting in reputational risk. There are enough of us now to speak of our experiences to executive teams and governing bodies to help nudge investment cases over the line.
Get expert help and support on tap for when you’ll need it. Whether it’s through sector-led shared services such as HEFESTIS, through dedicated cyber insurance and recovery assistance (although that’s becoming harder to source by the day), or via a specialist tech company, get the contract in place now. Trying to set up a new supplier and getting a significant purchase order approved in a hurry and without any IT systems working is not easy – and I know.
5. It’s all about people
As good as the tech may be, people invariably are and always will be the weakest link. Six years on from its data breach, the University of Greenwich had enough time to really embed a “security first” culture. Staff have to complete compulsory cyber training. At UWL, this is refreshed every year, and cyber is a recurring theme at termly all-hands meetings. Those universities that have deployed the tech need to ensure that people and processes are in place to act on the alerts generated. When the attack hits, it’s important to protect key staff so that they can get on with the fix and don’t burn out in the process. It can be a very stressful time, and their welfare needs careful consideration.
6. A problem shared is a problem halved
It is really important that we can share, in a safe space, details of any cyberattack with each other – so that others can be forewarned of potential threats and so that the sector can better support itself. I can attest that being a chief information officer in the middle of a cyber event is a scary and lonely place to be, and perhaps the most challenging of my career thus far. Being able to speak to others who had been through that nightmare was invaluable.
So act now. Be prepared, and good luck when your day eventually comes!
Adrian Ellison, associate pro vice-chancellor and chief information officer, University of West London and chair of UCISA.
Thank you to my fellow panellists for sharing their experiences and insight: “Paul A”, the National Cyber Security Centre; Trevor Baxter, director of IT innovation, King’s College London; Rachel Bence, chief information officer, Queen Mary University of London and chair of the Russell Group IT directors’ group; Paul Butler, director of information and library services, University of Greenwich; James Crooks, director of learning and information services, University of Central Lancashire; Mark Ferrar, chief information officer, Newcastle University; David Gillard, interim chief information officer, University of Hertfordshire; Deborah Green, CEO, UCISA; Steve Kennett, executive director for security at Jisc; and David Robertson, chief information security officer at HEFESTIS.
If you found this interesting and want advice and insight from academics and university staff delivered direct to your inbox each week, sign up for the THE Campus newsletter.