As universities adapt to growing cyber threats, they must embed cybersecurity in their operations and culture, minimising risk, safeguarding data and lowering costs to protect their students, staff and reputation
As the Covid-19 pandemic spread across the world, many industries had to rapidly adopt new digital processes to maintain their service offering. In the higher education space, students and academics suddenly found themselves working from home. The adoption of new digital solutions accelerated the sector’s cybersecurity needs, making them a bigger target for cybercriminals. Lyn Webb, chief information security officer at the Open University, and Chris Atkinson, cybersecurity expert at PA Consulting, spoke with Times Higher Education about the challenges created by pandemic-enforced digitisation.
Students’ needs are at the core of the higher education sector’s considerations. “Students largely select a higher education institution based on its teaching quality or subject excellence, and universities pride themselves on being placed as high as possible on relevant league tables,” Webb says. “These days, students also expect universities to be good at security, to be safe places in which to operate and where their hard work won’t be lost. They trust universities with a lot of sensitive information, so these institutions have a huge responsibility.”
“The reputation of an institution is tied to its quality in the academic field. If the integrity of student data is compromised, it can affect a university’s credibility and reputation. This can be made worse if attacks result in a loss of research or critical services are taken offline during clearing,” Atkinson explains. “The vast majority of universities are taking cybersecurity more seriously today, viewing it as a strategic risk, but they are still dealing with chronic underinvestment. On average, out-of-date and insecure systems cost universities more than £2 million in recovery expense following a ransomware attack, plus the impact on the loss of university operations.”
Although recent years have seen progress in terms of cybersecurity, many institutions continue to struggle to protect their critical services, people and reputation. “It’s important to remember that cybersecurity doesn’t exist in a vacuum – institutions have multiple pressures on their finances and people that can appear conflicting,” Atkinson says. “Universities can find it difficult to get staff on board with the cultural change required to prioritise cybersecurity, but it needs everyone to succeed, from the top all the way down. Without this – and embedded cybersecurity improvements within wider digital and organisational transformation activities – universities will never catch up and will continue to be seen as an easy target for ransomware attacks, extortion, phishing and fraud by cybercriminals.”
“It’s essential to link cybersecurity to risk management,” Webb acknowledges. “Unfortunately, it is treated too much as a compliance issue. Vice-chancellors and their leadership teams need to build an understanding of what is most precious to their university. This might be a particular area of research or a pool of critical, sensitive and valuable information.”
“Covid has sped things up substantially,” Atkinson says. “There has also been a bit of a back and forth recently in terms of ransomware attacks on universities. Some institutions have jumped ahead by launching measures like multifactor authentication in response. But other universities continue to use out-of-date, insecure programs due to the cost of replacing them, leaving vulnerabilities exposed.”
Collaboration with other institutions, government and industry is widely seen as being crucial to improving universities’ cybersecurity readiness. “Universities are usually pretty good at working with other higher education institutions, and organisations like Jisc are helpful in this regard. But further collaboration could help immensely,” Atkinson says. “There is great work being done in other sectors, and higher education could improve by cherry-picking things that are done well from outside their own industry.
“For example, universities could benefit from reviewing their practices against the NHS’ Data Security Protection Toolkit. It covers everything from security governance to identity management and supplier assurance, taking learnings from industries such as manufacturing and logistics, where there are examples of companies that saw significant disruption and revenue loss due to ransomware attacks.”
As universities continue to transform, they should look to embed cybersecurity into their operations, minimising long-term risks and costs. Institutions must plan for when, not if, something goes wrong. They should have crisis management teams run annual cybersecurity stress tests, not simply rely on quarterly snapshots.
“Constant firefighting is not ideal,” Atkinson says. “All too often, there needs to be more joining of dots internally in terms of embedding the cultural shift required. This enables everyone to understand the part they can play, and strong security behaviours become the norm. That’s the only way of ensuring academic freedom is empowered alongside service continuity.”
“It’s also vital to measure,” Webb explains. “Universities are very good at reporting what they know they can measure, but they need to be braver at recognising what they can’t. Otherwise, it will always be the cybersecurity office in the firing line. More effective measuring will make incidents less of a surprise, which, in turn, will make them easier to prevent and manage.”
Effective cybersecurity means universities are able to continue undisrupted in the event of a cyberattack, upholding the trust of students, staff and research partners . Vice-chancellors and executive teams must lead by example, placing cybersecurity at the top of the agenda and maintaining best-practice across their institutions.
Find out more about PA Consulting.