- About Us
- About Association of Colleges
- AoC Governance
- AoC Regions
- AoC Charitable Trust
- AoC Sport
- Our Equality, Diversity & Inclusion Work
- Our Climate and Sustainability Work
- Our Work Across the Four Nations
- AoC National Chairs' Council
- Work for AoC
- About Colleges
- Corporate Services
- Data Protection/GDPR
Employment Services - college workforce
- Employment Services - college workforce
- Introduction & Employment Helpline
- Absence & Sickness Management
- Contracts and T&Cs
- Disciplinary, Capability & Grievance
- Employment Briefings Library
- Equality, Diversity & Inclusion
- General Employee Relations & HR Issues
- Industrial Relations
- ONS reclassification related guidance
- Pay & Pensions
- Redundancy, Restructuring & TUPE
- Workforce Benchmarking, Surveys & Research
- Get Involved!
- The 5Rs Approach to GCSE Maths Resits
- Apprenticeship Workforce Development (AWD) Programme
- Creating a Greener London – Sustainable Construction Skills
- Erasmus+ EXPECT Project
- Digital Roles Across Non-digital Industries
- T Level and T Level Foundation Year Provider Support Programme
- The Valuing Enrichment Project
- Higher and Extended Project Qualifications
- OfS - Higher Education Social Prescribing Project
- Pears Foundation Youth Social Action Programme: Phase 2
- Pears #Iwill Youth Social Action Apprenticeship Project
- T Level Professional Development (TLPD) Offer
- T Level Curriculum Macro-Sequencing
- Contact the Projects Team
- Sustainability & Climate Action Hub
- Honours Nomination
- Recruitment & Consultancy
Events & Training
- Events & Training
- T Level & T Level Foundation Year Events
- Network Meetings
- Annual Conference & Exhibition 2023 Resources
- Previous Events & Webinars
- In-House Training
- Senior Leadership Development Programme
- Introducing AoC's Early Career and Experienced Middle Managers Programme
- Sponsorship & Exhibition Opportunities
- Funding & Finance
- Meet the Policy Team
- Policy Areas
- Policy Briefings
- Policy Papers & Reports
- AoC Strategy Groups
AoC Reference Groups
- AoC Reference Groups
- Adults (inc. ESOL) Reference Group
- Apprenticeship Reference Group
- Technology Reference Group
- HE Reference Group
- 14-16 Reference Group
- Mental Health Reference Group
- 16-18 Reference Group
- SEND Reference Group
- WorldSkills Reference Group
- HR Reference Group
- Sustainability & Climate Change Reference Group
- EDI Reference Group
- Research Unit
News, Campaigns & Parliament
- News, Campaigns & Parliament
- Comms advice and resources for colleges
- Contact the Communications, Media, Marketing and Research Team
- AoC Newsroom
- AoC Blogs
- Work in Parliament
- AoC Campaigns
Love Our Colleges
- Love Our Colleges
- Colleges Week 2023
- Creative Writing in FE - Developing student voice through the written word
Why cyber-security is never ‘done’ - Dr John Chapman
Dr John Chapman
Over the last couple of years, a long line of industry experts have been quoted in the media explaining why the UK education sector is a target for cyber-attackers, and ready with guidance on how schools, colleges and universities should protect themselves.
While the advice is usually sound, it’s wrong to imply education is any more a target than other sectors. I also take issue with some of the more alarmist language: for example, just this month, one US cyber-security solutions provider chief information security officer unhelpfully described academic institutions as “sitting ducks”.
It’s irresponsible to pick out particular organisations or sectors as easy targets. The statement is also sweeping and inaccurate because it does not represent reality in the UK. I know this because, as the UK tertiary education sector’s expert digital body, Jisc has access to excellent information sources on the topic of cyber-security at colleges and universities.
Together with various security professionals, particularly at the UK’s National Cyber Security Centre, we gather and share knowledge and experience of cyber threats and attacks with our members; our experts talk daily to IT and security staff at colleges, universities and research centres; and we also conduct an annual cyber-security posture survey among those member organisations.
The real picture is far from rosy, though. It is a certainty that across sectors not all organisations are as well protected as they should be, and the same applies to tertiary education providers. Indeed, our 2022 survey suggests that creating a strong cyber-security posture remains challenging.
For example, when the survey asked “how well do you feel your organisation is protected?”, higher education (HE) respondents were cautious. Only 16 per cent scored themselves eight or more out of 10, suggesting strong awareness of the threat landscape. Further education replies were more positive, with 39 per cent scoring eight or above.
Comments around this question suggest that organisations rating themselves five to seven have controls in place, but feel they could do more to keep abreast of threats. For those scoring eight to 10, robust systems and processes were important themes, along with audits, certification and external support.
What is heartening is that survey results over the past six years indicate the general picture is improving. The 2022 survey report, which received responses from 123 organisations, indicates that cyber-security remains a high priority among senior leaders at UK colleges, universities and research centres.
Almost all responders – 97 per cent of HE and 94 per cent of FE providers – have cyber-security on their risk register, a rise of two and five percentage points respectively compared to 2021. High numbers also regularly report on cyber risks and resilience to their executive board (79 per cent of FE organisations).
This is important because senior leaders should take responsibility for cyber-security governance and risk management. In our experience, organisations where senior teams don’t rate cyber-security as a strategic priority are less likely to have the kind of on-going investment, processes and technical measures in place to defend well.
Over the last couple of years, ransomware has become – and remains - a well-documented danger to all kinds of organisations across the globe, educators included. In 2020, there were 15 serious ransomware attacks on HE and FE providers in the UK, with 18 in 2021 and at least 11 so far this year.
So, ransomware is rightly named in the 2022 survey as the top threat for HE organisations, with phishing /social engineering second. These places are switched for FE, with unpatched vulnerabilities taking third place for both HE and FE. This is a similar picture to 2021.
Accidental data breaches rank fourth on the list of threats this year, so I’m pleased to see an upward trend in security awareness training, although ideally, mandatory training for students would be more widespread.
Compulsory security awareness training is more common for staff than students, with 84% of HE and 77% of FE organisations implementing this. As in previous years, FE organisations (21%), are more likely to run compulsory student training than HE (5%).
More and more providers are recognising that in-house expertise is a critical piece of the cyber-security jigsaw. A total of 90 per cent of HE respondents report they had specialist staff in place this year.
The figure remains lower in FE, at 33 per cent, probably reflecting the fact that colleges find it more difficult to compete with the large salaries offered in the private sector. On the plus side, this represents a ten-fold increase since we first ran the survey in 2017.
Taking the survey stats and other information available to us, my conclusion is that, while there is a growing understanding of cyber risks within our sector, threats are still a huge problem. And it’s not going away anytime soon; just like the laundry, cyber-security is never “done”.
The views expressed in Think Further publications do not necessarily reflect those of AoC or NCFE.