Jisc’s latest cyber security posture survey shows that colleges believe ransomware is the top cyber threat this year – reflecting the impact this kind of attack has had on the tertiary education sector over the past 16 months.
Some colleges have been severely impacted, with systems crippled, and data lost, while recovery can take months and cost millions, all of which causes enormous stress for staff and students alike.
The sector has suffered a sustained increase in ransomware, with the number of incidents in the first half of 2021 surpassing the total in the whole of 2020.
The fall-out from ransomware may also explain why colleges’ estimation of their security posture has decreased slightly this year. As in previous surveys, perceptions of cyber security are still more positive among further education (FE) providers than universities, with 31% and 17% respectively scoring their organisation as 8+ out of 10. The mean score for FE this year is 7.0, while for HE it’s slightly less, at 6.3.
To mitigate this and the wider cyber threat affecting education providers, there needs to be even more collaboration between Jisc and the sector to share experience and implement best practice.
As well as running and providing cyber security protection for the Janet Network – the infrastructure on which colleges rely – we also provide threat intelligence and expert advice to members.
College principals and boards have overall responsibility for cyber security within their organisation, and so it’s encouraging that our survey reports that 92% of FE respondents feel it is a priority for senior leaders. In addition, 77% of FE organisations regularly report on cyber security risks and resilience to their executive board – a rise of nine percentage points over 2020.
Any college that does not prioritise cyber security is unlikely to have sufficiently robust processes and technical solutions in place to stop or mitigate an attack when it happens (not if). This is why it’s important that the sector works with us to Identify vulnerabilities and make adjustments.
I understand that reducing the risk of cyber threat takes hard work and considerable resource. Alongside the need for ongoing government investment in well-protected IT infrastructure, the sector also needs both the services and staff with specialist skills as well as the leadership to enable cultural and technical changes, within their institutions.
We know budgets are under huge pressure, now more than ever because of COVID-19, and investment will be a challenge. However, it’s likely to be substantially cheaper than the devastating impact of a significant and sustained systems outage and/or data breach.
One college principal, Simon Hewitt, described the impact on his organisation – Dundee and Angus College – as ‘brutal’, an ‘emotional rollercoaster’ and ‘the most challenging time of my career’.
Recruiting skilled security and IT staff is difficult, too, because of the UK’s technical skills shortage. While the government is tackling this, there’s no quick fix, and in the meantime, the public sector cannot easily compete with the much higher salaries offered by commercial organisations.
This could be a bigger problem for the less well-off FE sector than for universities. Our survey finds that 77 (83%) HE and just 16 (26%) FE organisations have dedicated cyber security posts.
Jisc, and partner agencies including the National Cyber Security Centre, have, for some time, been advising tertiary education providers about how to defend themselves against ransomware.
More generally, there are clear processes and services colleges can put in place to reduce risk of all cyber attacks and we encourage senior leaders to collaborate with their technology teams to implement these steps:
- Vulnerability management and patching procedures are essential for all systems, with priority given to critical and externally accessible services.
- Segmenting and isolating all critical service infrastructure helps prevent attackers who gain access to one system from moving on to others.
- Implementing segregated central logging and monitoring of critical systems enables early warning of potential problems and will help in incident investigations.
- Ensuring backups are segmented, secured and tested regularly is paramount.
- Frequently rehearse incident response plans and procedures. Practice won’t make security perfect, but it will ensure that the response in the event of an attack is effective, and that recovery is as quick as possible.
- Controlling system access is vital. Only those people who need access should have it. Multi-factor authentication (MFA) has a significant role to play in controlling system access more widely and, therefore, reduces the risk of a successful ransomware attack.
I’m pleased, therefore, that there has been a sharp rise in the deployment of MFA during the pandemic, although it’s not yet in place across the board. We recommend that it is rolled out to all systems, all staff and all students – and while the trend is heading in the right direction, there’s a little way to go.
In the survey, 87% of FE respondents indicate some form of MFA deployment for staff, a rise of 23 percentage points compared to 2020, but just 13% report MFA for students, compared to 10% in 2020.
Similarly, security awareness training is key in preventing security incidents caused by phishing and other ‘human errors’, which the survey acknowledges as the second and third top threats this year, behind ransomware.
To help address these issues, we advocate mandatory training for all users. Again, there’s room for improvement on this: 73% of universities and 66% of colleges run compulsory training for staff, but only 9% of HE respondents and 13% of colleges insist that students take a course.
So, while our conversations with members back up the latest survey stats in indicating cyber security is becoming more robust for FE and HE alike, there’s more to be done – and Jisc is here to collaborate with the sector, to improve resilience.
Heidi Fraser-Krauss, CEO, JiscRecommend0 recommendationsPublished in