Cyber Crime
How UK universities can manage surging cyber risk
In managing cyber security risk there has always been a trade-off between optimum security and productivity. Within education and especially the university sector, this balance is harder to get right, as the nature of universities means there is a culture of open access and collaboration, and a huge mix of services on the network.
To mitigate a growing risk of compromise, the sector will need to revisit threat assessments and strengthen security posture with a range of technical and non-technical controls.
Education under fire
A recent report from Universities UK – Cyber Security and Universities: Managing the Risk - highlights the challenges facing IT teams. Among its findings are:
- The nature and complexity of university environments create a large attack surface with multiple potential points of entry. The complexity and breadth of organisations’ digital estates mean new risks and threats are continually emerging
- The huge range of valuable data generated and stored by universities (staff and student personal information, research data and evidence) and their consequential reliance upon it makes them an attractive target:
- Data needs to be stored accessed, backed up and used appropriately to fully realise its academic or commercial value
- Sensitive data is also accessed from third-party organisations, such as medical institutions, that provide patient-identifiable or other clinical data. Universities may also access data that is considered commercially, operationally or personally sensitive
- Universities collect information about students, staff and finances, which might be considered sensitive
- Flexible / remote access to teaching and learning, and national and international collaboration contribute to a large attack surface of accessible, internet-facing services and infrastructure
- Attacks may lead to a loss of control over digital infrastructure, and interruption/ disruption of key services and activities. This may affect a university’s ability to maintain high-quality teaching and research provision, and its ability to uphold contractual or regulatory obligations
Unfortunately, threat actors have been quick to exploit these weaknesses, in both highly targeted and sophisticated attacks, and more opportunistic,high volume attacks.Jisc identified a growing number of destructive ransomware attacks against institutions: 15 major incidents in 2020, 18 during 2021, 19 in 2022 and nine in the first half of 2023. These impacted the core operations such as teaching and research. The increase in serious incidents in 2020 and 2021 resulted in the National Cyber Security Centre (NCSC) issuing an unprecedented three alerts to the UK research and education sector, highlighting targeted activity by hostile groups.
Assessing the risk
The Universities UK report is clear that institutions must balance ease of use, functionality and security, and advises close collaboration between all interested parties. This is a key point, as security needs to work for everyone. When it makes people’s jobs harder to do, users often resort to dangerous workarounds and shadow IT. This can broaden the attack surface even further and drive up cyber risk levels.
Organisations must also strike the right balance between the cost of implementing security controls and the costs that will be incurred following an attack or incident. It is essential that all potential costs are fully considered in such calculations, according to data protection regulator the Information Commissioner’s Office (ICO).
Risk assessments must also be viewed through a different lens. Given the pace of technological change—both in universities and the threat landscape, such reviews must be carried out almost continuously to ensure that they are fit for purpose. All too often, security assessments are viewed as an annual task to be filed away and forgotten about.
Strengthening security posture
The report outlines the following areas that must be addressed in the university sector:
- Governance – Someone needs to own cyber risk
- Assurance – An acceptable baseline should be seen as a starting point not a destination, with any risks identified in audits being proactively addressed and mitigated rather than passively accepted
- Technology - A strong security posture is dependent upon a range of technical controls working effectively together, as part of a defence-in-depth approach
- Culture – Staff and students are a university’s biggest asset but also often their biggest security risk. Security training and awareness programmes are therefore critically important
How Trend can help
Trend is currently helping many organisations in the university sector with their cyber security strategy through our platform-based approach managing risk across the entire cyber-attack surface. With the Trend platform, we can assist universities in all five areas of security control that are identified in the report:
- Preventative
- Detective
- Corrective
- Compensating
- Deterrent
Ultimately, the key for university IT teams is to blend a range of technical and non-technical controls, in order to move from a reactive to a proactive security stance. That means getting the basics right like prompt patching, but complementing this with more advanced measures like detection and response. This will ultimately help to ensure universities contain incidents and breaches faster, and build more effective resilience to bolster their defences for the future.