Building cyber resilience in HE needs everyone’s commitment

When it comes to cyber threats in 2023, no sector is safe. While the financial, insurance and consumer industries have traditionally been some of the worst hit by breaches, higher education has fast become a new favourite target for attackers in recent years.

According to the United Kingdom government’s 2022 Cyber Security Breaches Survey, of the educational institutions surveyed, higher education employees were the most likely to identify breaches or attacks, with 92% reporting an incident within the last 12 months.

The consequences have been extreme. A ransomware attack impacting the University of York in 2021 resulted in sensitive data being encrypted and held captive by hackers for weeks without resolution. At other universities, sophisticated attacks such as phishing emails and distributed denial of service (DDoS) have run havoc – intercepting confidential logins, tampering with student data and forcing downtime during valuable learning hours.

A vulnerable sector

It’s unsurprising, then, that higher education institutions face a variety of challenges that render them at higher risk for such attacks.

For starters, the ongoing digital skills shortage has meant a lack of experienced candidates capable of safeguarding universities from today’s cyber threats.

In the private sector, 51% of businesses have reported a shortage of “basic technical cybersecurity skills”. In the public sector, additional budget constraints heightened by the global economic downturn have made matters even worse.

‘Head of Cybersecurity’ salaries are currently being advertised at a fraction of what they would be in a private firm, which makes cyber recruitment an uphill battle for many public sector organisations, including universities.

There has also been a surge in the number of devices being used by both students and staff on a daily basis. Laptops and mobile phones became staples of remote learning during the pandemic due to lockdowns and social distancing protocols. Internet of Things (IoT) devices – including assistive technology and ID scanners – have also become commonplace across university campuses.

While these devices boost efficiency and support learning, they also act as additional access points for hackers and bad actors looking to gain access to university networks.

Becoming a resilient fortress

It’s clear that higher education institutions today must work harder than ever, and face numerous obstacles, in order to safeguard students and staff from malicious cyberattacks. But how exactly can higher education step out of the cyber-criminal firing line and evolve from being the vulnerable target to a resilient fortress?

• Keep technology up to date: The technology and techniques used by hackers today have become extremely sophisticated – from automated bots to threats in the cloud and even along the supply chain via third-party vendors.

While IT budgets are often tight within higher education institutions, investment in up-to-date technology is key to reducing the risk of data breaches, which tend to be even more costly. In fact, the average cost of a data breach reached £3.69 million (US$4.6 billion) in 2022, so not investing in the right technology can prove to be even more detrimental to university budgets in the long run.

An audit of existing software and hardware is a great place to start, and enables higher education institutions to identify areas that require repair, overhaul or additional resources. For example, are your computers running an old version of Windows, and are your Wi-Fi networks armed with the best protections?

• Backup and recovery plan: Investing in the latest technology can help prevent data breaches, but what can higher education institutions do to minimise their impact if they do occur?

With the risk of cyberattacks becoming increasingly likely, one proactive step universities should take to future-proof their systems is to develop and deploy a data backup strategy.

A data backup strategy allows organisations to restore their data when needed, or repatriate it from backup sources such as the cloud, to prevent loss of records, ensure business continuity and prevent downtime in the event of a breach.

Whether a university is looking to improve its current backup strategy, or develop a new one, a great place (again) to start is an audit of current processes and legacy systems. Once a starting point has been established, new backup and recovery options can be introduced that fit the organisation’s unique needs and ensure all records held by the university are protected.

• The power of education: Reminding higher education institutions about the importance of education (when it comes to cybersecurity) may seem ironic. But with human error being one of main culprits causing data breaches – whether that’s a student replying to a phishing email, connecting to an unsecure public Wi-Fi network, or opening an email containing malware – this simply cannot be overlooked.

In many cases, it’s often a lack of this basic cybersecurity ‘hygiene’ and knowledge that leads to large attacks, so university cybersecurity teams must ensure all students and staff are up to speed on the current risks so they can remain watchful.

For example, policies should be introduced to outline what technology can and cannot be used on university networks and equipment. This can start anywhere from allowing only encrypted USB drives to be used, to more extreme measures, such as bans on certain apps and websites, which we are beginning to see more of with the current crackdown on TikTok on public sector devices.

The bottom line

With the growing number of cyberattacks on higher education establishments, strengthening the fort and investing in cybersecurity should be a top priority for UK universities.

The safety and security of student data, preventing costly breaches and avoiding prolonged downtime during teaching hours have become pressing objectives in recent times – but they can only be achieved once the right technology and processes are implemented.

As the old saying goes, “Rome was not built in a day”. There is no ‘easy fix’ when it comes to protecting a university from cyberattackers. Building cyber resilience is a process that starts with a review of existing systems. It requires investment in the areas that need it most, and it can be maintained only through continued review and an ongoing commitment – from everybody – to cybersecurity.

Dionne Barlow is director of marketing, e-commerce and partner management at IT support company Stone, A Converge Company.