'Cyber security: the task is significant and complex, but we are not alone’
Written by Universities UK (UUK) in association with the National Cyber Security Centre (NCSC) and Jisc, new guidance for the higher education sector demonstrates the criticality of cyber security.
The UK’s universities are proudly dynamic, diverse and international institutions, bringing together staff, students and visitors from across the globe throughout the year.
This type of engagement is a key strategic asset to the UK. Open access to campuses and their associated sites is an important aspect of academic life that is necessarily built on a foundation of safe and secure online environments.
Universities have made good progress in developing processes that manage security-related risks. However, there is more to be done, and cyber security has never been more important. Connectivity and digital technology now underpin almost all aspects of running a university or research centre – and this makes the security of our networks, data and people crucial. As leaders, we are ultimately responsible.
Reducing risk and mitigating impact
Written by Jisc, Universities UK (UUK) and the National Cyber Security Centre (NCSC), new guidance for the higher education sector demonstrates the criticality of cyber security.
It reminds us that because of the work we do and the data we hold, our sector remains an attractive target for all kinds of cyber criminals, from have-a-go opportunists to state-sponsored, highly organised groups.
It will also help us understand what we ought to be doing to reduce risk; how to prevent as many attacks as possible and how to mitigate the impact of those we cannot. There is a balance to be struck, though, between the need for collaboration and access to data, and working practices that maintain security.
The Trusted Research Guidance for Academia, developed by the National Cyber Security Centre (NCSC) and the National Protective Security Authority (NPSA), outlines the importance of this balance.
This should not mean anyone faces barriers in carrying out their job, but we must find new ways for people to operate that do not put themselves, their colleagues, their work, or their employer, at risk.
We must be firm and prepared to change how we do things, fostering a positive culture of awareness where security is on everyone’s radar.
We must be firm and prepared to change how we do things, fostering a positive culture of awareness where security is on everyone’s radar.
In short, good cyber security hygiene is dependent upon robust processes and policies and requires a commitment to significant ongoing investment, both in technology and in people with the specialist skills to implement and operate it effectively.
Prevention is better than cure
Security failures can have potentially catastrophic consequences, as Jisc’s cyber impact report outlines. Serious cyber attacks on higher education providers have resulted in massive disruption to teaching and learning and to business-critical systems, sometimes for long periods of timeP.
This has obvious implications for reputational damage and for the wellbeing of staff and students. Some attacks have incurred financial costs of more than £2m. So, prevention is better than cure.
Yes, the task is significant and complex, but we are not alone; our critical friends at Jisc, NCSC and UUK are here to support us. Jisc offers a range of cyber security services and expertise, as well as its guidance, 16 questions you need to ask to assess your cyber security posture (pdf), designed for boards.
This complements the NCSC’s revised board toolkit, which includes an introductory video specifically for the higher education sector.
UUK also has a dedicated programme of work on managing security-related issues and has developed guidelines on managing risks in internationalisation, including a chapter on protecting university students, staff, visitors and campuses from cyber security threats. Leaders will find details of all these resources within the new guide.
By collaborating with expert organisations which provide advice and solutions, we can minimise the risk and provide reassurance to our governors that, while it is impossible to be immune to attack, we can be as well prepared as possible.
Further information
- Booking is now open for this year’s Jisc security conference, which is being held at ICC Wales on 21 and 22 November 2023, and online on 23 November.
- Join the ‘defend as one’ campaign to receive personalised instructions on steps to improve security posture.