Higher education cybersecurity critical to UK industrial strategy

Cyber crime is high on the political agenda and is attracting considerable government investment. But are universities and colleges doing enough to protect their data and reputation, not to mention their staff and students? Steve Kennett, security director of Jisc, says institutions should make certain that they invest in cybersecurity.

The increasing number of cyber threats reported in the UK isn’t just newsworthy, the threats are also very real. Given this increase, it’s not surprising that the government’s 2016 National Cyber Security Strategy reaffirmed cyber threats as one of the most significant risks to UK interests.

The strategy comes with a significant investment of £1.9bn over five years to “support work to keep the UK protected from cybersecurity attacks”, including £860m for education and research to provide knowledge and skills in cybersecurity for the future workforce.

Universities and colleges must also meet the associated challenge to ensure their learners behave safely and responsibly in the digital space.

In addition, the government has published a green paper on its industrial strategy, which crucially, for the cybersafety of the education sector, includes further investment in digital infrastructure and scientific research.

Secure organisations attractive to do business with

The Janet network, developed and operated by Jisc, is a major part of the UK’s critical infrastructure and we help our members (universities and colleges and researchers) secure their cyberspace as well as protecting ours.

Implementing cybersecurity controls to protect systems seems obvious, but can be expensive, with return on investment difficult to quantify. But don’t underestimate its importance; the threat landscape is increasing and, with it, the requirement for assurances that data is secure.

An organisation that practices good risk management not only protects its reputation, intellectual property and data, but it will also offer its customers a measure of assurance, making them attractive to do business with.

Help users behave responsibly

Our Computer Security Incident Response Team (CSIRT) sees many types of attack on Janet daily. The attack we faced on our own infrastructure in December 2015 marked a change in hackers’ tactics and we accelerated our planned enhancements in the Janet network.  It’s important not to treat security as a one-off event, but instead as something that needs continuous review and investment.

Current and emerging technologies present many opportunities for new ways of learning and collaborating, but universities and colleges must also meet the associated challenge to ensure their learners behave safely and responsibly in the digital space.

There are several safeguarding measures to consider, with Prevent training for staff the political hot potato at present, and in the spotlight again following the terror attack on Westminster in April. Designed to detect and tackle extremism in its infancy, Prevent is part of the government’s anti-terrorism strategy, although it is under review at the moment.

Five key tips for maintaining cybersecurity in your network:

  1. Identify your organisation’s critical assets or key information and assess the risk of exposure of which would have a major impact on the organisation.
  2. There’s little point investing in securing your devices, networks, and services if you don’t maintain and enhance their cybersecurity throughout the period that they are deployed
  3. The most important activity to prevent common cyber attacks is to keep your technology up to date, and to apply the latest security patches as they’re made available.
  4. Cybersecurity mitigations will not be infallible; occasionally attackers will be successful. Taking steps to ensure that you can detect when cyber attacks have occurred (and knowing how to quickly recover from them) will pay dividends in the long run
  5. It is essential that you always back up your important information and have a plan for recovering from a system failure. An attacker could crash a network or computer’s operating system, or data may be corrupted or wiped out by a hardware problem.

In addition, education institutions should install robust web filtering and email security services. The former helps safeguard users from inadvertent exposure to illegal or inappropriate material, while the latter spots vulnerabilities from threats such as phishing, malware and spam, and has tools to protect against domain name system (DNS) spoofing that could see users unknowingly being directed to malicious websites.

Finally, it’s worth developing (and regularly reviewing) an internet safety policy that takes into account current technologies and social media. Under this policy, be clear about what is expected of staff and students and deliver relevant training. You may want to cover areas like the legalities of copyright and music downloads, plagiarising content from the web, explicit material, and online bullying.

Steve Kennett
Security director, Jisc