Unleashing the True Potential of Organisational Cybersecurity Cultures

As the volume of cyberattacks on the educational sector increases, institutions are coming under more scrutiny from regulatory bodies. More than 17,000 data breaches in the sector have been reported to the Information Commissioner’s Office (ICO) in the last four years, many involving cyber threats such as ransomware and phishing.

Understandably, organisations are seeking refuge under regulatory guidelines to improve their security, as well as stay compliant.

However, new research from Immersive Labs suggests regulations may be less effective in driving real resilience against threats than previously thought. The study showed that regulated industries only marginally outperform their less-regulated peers regarding cyber resilience. There was only a 6% difference across key resilience metrics, indicating that regulated industries are not substantially better prepared for attacks than less-regulated fields on average.

What drives resilience? The findings point to building a cybersecurity culture from within and consistently exercising teams and individuals across the organisation as a greater predictor of preparedness for emerging threats, like those posed by Generative AI.

Cultural change can move more quickly than regulatory amends in the fight against increasingly advanced threats. Building cyber resistance is crucial for the education sector as the industry stores sensitive information such as bank account details and private information of the students, staff, and the students’ guardians.

Why must the education sector bolster its cyber stance?

Cybercriminals are constantly on the lookout for weak points to exploit. The education sector includes a vast student population and a modest staff cohort by comparison. This unique structure complicates the implementation of rigorous security protocols.

Further, educational institutions increasingly rely on a complex, widespread IT structure. This is because individuals try to access information from different locations and devices. A misguided click on a deceptive link by a student or a staff member can lead to a serious, disruptive cyberattack.
The education sector is among the top ten industries with an inadequate cyber crisis response. This highlights the need for the education sector to bolster its cyber stance by educating every team member on the devastating after effects of a cyber-attack.

Building a culture of cyber resilience

To build a culture of cyber resilience, education organisations must understand that security is not solely the responsibility of the security teams. Criminal gangs target the workforce of companies working in different sectors. However, each member of the institution, student or staff, is a target in the education sector. Hence, the need for cyber exercising.

The security team for a further education institute might be limited to a few members. These members are tasked to protect the organisation’s network, which is next to impossible. Institutions must invest in training their workforce to maintain good cyber hygiene.

It is important to understand that protecting a business against ransomware attacks must be everyone’s responsibility.

Creating organisational competence

Cyber resilience is more than having a proficient security team and advanced tools. Today, adversaries focus on individuals, deploying tactics such as phishing campaigns and emails with malicious software.
To bolster the defences, it’s crucial to evaluate the requirements of each person or department. Each member of the workforce, from the teaching to the non-teaching staff, plays an important part in this.
Tailored cyber exercise can be provided to address specific knowledge shortfalls, hone particular skills, and provide data to show skills gaps that need to be addressed. Outcomes from these sessions should be internally gauged and compared against industry standards, offering insights into an organisation’s preparedness against cyber threats.

Institutions must equip their employees with insights on safeguarding the organisation, such as real-time crisis scenarios. They must consistently gauge employees’ cyber capabilities and judgment using data sourced from mock drills, and routinely carry out cyber exercises to identify and rectify knowledge gaps.
Additionally, organisations must understand that a comprehensive, organisation-wide strategy that fosters and bolsters the workforce across all sectors ensures collective preparedness during crises.

Educating the educators

Apart from continuous training, regular variation in training simulations is imperative. Organisations might consider aligning their exercises with recognised security frameworks like MITRE ATT&CK, which is consistently updated to mirror the evolving threat landscape. Keeping abreast with updates in such frameworks offers insights into the latest strategies employed by cyber adversaries. By immersing employees in exercises grounded in these frameworks, they are better positioned to counteract threats individually and collectively.

To meet regulations, educational institutions need more than basic cybersecurity training for faculty and staff. A continuous, hands-on learning approach is key, engaging the community in best practices like robust password management and email scrutiny. Methods such as gamification instil a culture of collective responsibility, shifting the perception of cybersecurity from a transient issue to an enduring, community-wide concern.

Cybersecurity is not just an IT concern—it’s a collective responsibility. By fostering a culture of shared vigilance and equipping every individual with the right tools and knowledge, educational institutes can transform from being reactive to proactively resilient. It’s high time we view cybersecurity as an ongoing journey where every member of the organisation plays a pivotal role in safeguarding our digital futures.

By Max Vetter, Vice President of Cyber at Immersive Labs