Building cyber resilience in higher education

According to a 2024 survey by the UK government, 97 per cent of higher education institutions reported some form of cyber breach in the past 12 months. The sector is among the most targeted by ransomware and almost six in 10 institutions reported that they had been negatively impacted by a cyberattack. “Higher education is an attractive target to various threat groups,” said Matt Hull, global head of cyber threat intelligence at NCC Group, which provides cybersecurity solutions to help organisations identify vulnerabilities in their systems and protect against cyberattacks. 

Universities provide many opportunities for cybercriminals, Hull explained. Institutions collect data and financial information from students and they may be producing sensitive research. Their spread of systems can be broad, with staff and students connecting to WiFi across multiple sites, creating many points of vulnerability. With budgets stretched to the limit, not every institution can afford sophisticated cyber protection tools or the resources to monitor their systems 24/7. 

Having robust cybersecurity policies, ensuring they are communicated well and providing training for staff and students is a cost-effective and reliable defence strategy, said Tim Rawlins, senior adviser and director of security at NCC Group. “One of the ways you can make a significant difference to your cybersecurity is to follow your data retention policy. Not following it can mean universities are storing vast amounts of data they should not be holding, which means there is a huge volume of information at risk,” he explained. Business continuity policies should also be reviewed to consider the layers of impact a breach can have beyond the initial disruption of operations. 

Universities need to build awareness of potential threats and vulnerabilities so they can invest in the right tools and allocate resources effectively, said Natalie Walker, vice-president of global managed services portfolio and partnerships at NCC Group. “You can be proactive by introducing things like penetration testing. Look at any assets facing the internet – you cannot protect what you cannot see, so these systems could be vulnerabilities ready to be exploited,” she added. “Layer your tools based on your risk, budget and maturity. This will help you minimise downtime and restrict an attack to the minimum number of users.” 

Communication is crucial in getting all stakeholders to understand the importance of prevention. When a data breach happens, individuals experience the impact on a personal level and it can affect their student or staff experience, so encouraging cyber hygiene across the board is essential, the panel agreed. 

“You have to keep reminding people because it won’t be at the forefront of their mind,” said Rawlins, who advocated using “little nudges” such as lunch and learn opportunities and email banners warning staff against external threats. Hull said that avoiding a blame culture would increase buy-in: “Historically, with cyber incidents, we’ve blamed someone for clicking on a link, but approaches such as social engineering or phishing scams are designed to trick people. Let’s be transparent rather than beating someone up about it.” 

The panel:

• Matt Hull, global head of cyber threat intelligence, NCC Group
• Tim Rawlins, senior adviser and director of security, NCC Group
• Sreethu Sajeev, branded content deputy editor, THE (chair)
• Natalie Walker, vice-president of global managed services portfolio and partnerships, NCC Group

Find out more about NCC Group.