By Luke Dash, CEO, ISMS.online
As students and teachers make their return to education, cybersecurity should be part of the back-to-school agenda. The UK’s universities and higher education (HE) institutions are facing an unprecedented number of cyber attacks as their cutting-edge research and extensive digital infrastructure make them attractive targets for state-backed actors and financially motivated cybercriminals alike.
The MI5 has previously raised alarms about nation-state operatives targeting universities, aiming to steal intellectual property critical to national interests. However, it’s not just sophisticated state actors that pose a threat; cybercrime groups are increasingly focusing on HE institutions, exploiting vulnerabilities in staff and student systems for financial gain.
In fact, according to a government report published earlier this year, 97% of UK higher education institutions reported experiencing a breach or attack in the past year, with 43% encountering attacks at least weekly. The range of cyber threats, from phishing and impersonation to ransomware and malware, presents a constant battle for university IT teams. As students and staff have made their return for the academic year, universities need to enhance their cyber resilience to protect their systems and sensitive data.
Prioritising cybersecurity awareness training
One of the most effective steps universities can take is to prioritise cybersecurity awareness training. Although 84% of UK universities enforce information security training for staff, only 5% make it mandatory for students. This gap in knowledge leaves institutions vulnerable to attacks, particularly as cybercriminals often target students with phishing scams and social engineering tactics to gain access to university systems.
Training programs that equip both staff and students to recognise common threats like phishing emails, malware, and suspicious links are crucial. These programs should be regularly updated to reflect the latest threats and best practices. By fostering a culture of cybersecurity awareness, universities empower individuals at all levels to serve as the first line of defence against potential breaches.
Structured cybersecurity
Another fundamental step toward enhancing cyber resilience is through the adoption of recognised cybersecurity standards, such as ISO 27001. This international standard provides a structured approach to information security management, helping institutions systematically identify and manage risks.
Implementing ISO 27001 involves establishing clear information security policies, conducting regular risk assessments, and creating an incident response plan. The framework ensures continuous monitoring and improvement of cybersecurity processes. Importantly, ISO 27001 helps institutions comply with data protection regulations, such as GDPR, ensuring that both research data and personal information remain secure.
HE institutions that adopt ISO 27001 can significantly strengthen their cybersecurity posture by embedding security practices across all departments and faculties. This can help overcome one of the key challenges faced by universities: managing security across complex, distributed IT environments where networks span multiple faculties, labs, and remote users.
Embrace Cyber Essentials
In addition to ISO 27001, HE institutions should also consider obtaining a Cyber Essentials certification. This UK government-backed scheme is designed to help organisations protect themselves from the most common cyber threats. While it may not address more sophisticated attacks, it provides a solid foundation for mitigating common vulnerabilities. The Department for Education (DfE) has made Cyber Essentials certification mandatory for colleges and special post-16 institutions (SPIs) starting in the 2024–2025 academic year. Universities would do well to follow suit and implement Cyber Essentials as part of their broader cyber resilience strategy.
Cyber Essentials focuses on five key controls: secure configuration, boundary firewalls, access control, malware protection, and patch management. These measures can be implemented relatively quickly and at a low cost, making them accessible even to institutions facing financial constraints. For HE institutions that have experienced funding challenges in recent years, Cyber Essentials provides a cost-effective way to reduce risk and ensure compliance with government standards.
Incident response planning
An essential component of any cybersecurity strategy is a well-defined incident response plan. Universities must be prepared to respond to cyber incidents swiftly and effectively to minimise damage. This includes outlining clear roles and responsibilities for IT teams and senior management, maintaining robust backups, and ensuring regular testing of recovery procedures.
Alongside incident response, the principle of defence in depth should be applied across university systems. This involves layering multiple security controls, such as multi-factor authentication (MFA), encryption, endpoint detection and response (EDR), and firewalls. By creating multiple layers of defence, institutions can reduce the likelihood of a successful attack, even if one security measure is compromised.
Addressing the complexity of university networks
University IT environments are often complex, with many smaller, private networks providing specialised services for faculties and laboratories. Consistently enforcing security policies across these varied networks is a challenge. However, by adopting a centralised security framework like ISO 27001, universities can ensure consistent application of security controls and protocols across all departments.
Additionally, institutions should focus on securing the edge of their networks. This includes implementing strong security policies for staff and students who use personal devices (BYOD) to access university systems remotely. Unsecured devices can serve as entry points for cyber attackers, so robust endpoint protection and access control measures are essential.
Strengthening cyber resilience in HE institutions requires a comprehensive, multi-faceted approach that includes training, recognised frameworks, and practical security measures. As threats continue to evolve, universities must remain vigilant, prioritising cybersecurity across their entire ecosystem. By investing in best practices like ISO 27001, Cyber Essentials, and effective incident response planning, HE institutions can protect their valuable intellectual property and personal data, ensuring a safer digital environment for staff and students alike.
Photo by Johnny Briggs on Unsplash
Leave a Reply